i(0 


a//}^ Aije- 


NASA Contractor Report 159358 

I i 1 NASA-CR-159358 

^ /9SI OG ) 491/7 


COMPARATIVE ANALYSIS OF 
TECHNIQUES FOR EVALUATING 
THE EFFECTIVENESS OF 
AIRCRAFT COMPUTING SYSTEMS 


E. F. Hitt, M. S. Bridgman, and A. C. Robinson 


BATTELLE’S COLUMBUS LABORATORIES 


505 King Avenue 
Columbus, Ohio 43201 


CONTRACT NASl-15760 
APRIL 1981 


^\IASA 

National Aeronautics and 
Space Administration 

Langley Research Center 
Hampton. Virginia 23665 



NF01170 



FINAL REPORT 


on 


COMPARATIVE ANALYSIS OF TECHNIQUES 
FOR EVALUATING THE EFFECTIVENESS 
OF AIRCRAFT COMPUTING SYSTEMS 


May 12, 1981 


CONTRACT NO. NAS1-15760 


BATTELLE 

Columbus Laboratories 
505 King Avenue 
Columbus, Ohio 43201 



TABLE OF CONTENTS 


Page 

INTRODUCTION 1 

SYNOPSIS OF TECHNIQUES 3 

Synopsis of Performability Analysis 3 

Overview 3 

Summary 9 

The Fault Tree Method 9 

Construction of the Fault Tree 9 

Determination of Failure Probabilities 11 

TASRA Synopsis 12 

General Discussion 12 

Overview of TASRA Modeling Procedure 14 

SCENARIOS AND FAULT TOLERANT SYSTEM DESIGNED AND ANALYZED 19 

Series-Parallel Design 19 

Dual-Dual System 21 

Scenario 21 

Multi-Processor System •. . . 23 

Scenario . . . 23 

System Design 23 

Multi-Processor Design Modified for Cross-Training 31 

ANALYSIS RESULTS 35 

Series-Parallel Problem 35 

Dual-Dual System Analysis 35 

Summary of Results 35 







TABLE OF CONTENTS (Continued) 


Page 

Performability Analysis Solution 37 

Fault Tree Solution 42 

TASRA Solution 46 

Multi-Processor System Analysis 52 

Summary of Results 52 

Performability Analysis of the Multi-Processor Problem 52 

Fault Tree Method Solution 63 

Cross-Training Problem Analysis 72 

Summary of Results . 72 

Performability Analysis Solution 72 

Fault Tree Solution of Cross-Training Problem 77 

CONCLUSIONS AND RECOMMENDATIONS 80 

Learning Requirements 80 

Application Effort 82 

Solution Accuracy 85 

Summary of Conclusions 85 

Recommendations 86 

Implications of Complex Problems 86 

Ability to Model Transient Faults 88 

Software Errors 88 

Tutorial Material for Performability Analysis 89 

Performability Analysis Tools 89 

Observations 89 

Credibility of Solution 89 

Data Support Models. 90 



TABLE OF CONTENTS (Continued) 


REFERENCES 91 

APPENDIX A A-1 


LIST OF TABLES 


Table 1. Series-Parallel Subsystems Failure Rates 19 

Table 2. Component Requirements for Mission Performance Levels 24 

Table 3. Mission Flight Profile 25 


Table 4. Automatic Flight Functions. 


Table 5. Function Priority/Critlcality 29 


Table 6. MIL-STD-1553A Data Transfer Logic 


Table 7. Processors Required for Flight Functions 32 

Table 8. Subsystem Data 33 


Table 9. Economics Penalties Data. 


Table 10. Dual-Dual System Analysis Results for the Three Techniques. . . 36 

Table 11. Function Level Inverses of the Accomplishment Levels 39 

Table 12. Multi-Processor System Results for Performability 

Analysis and Fault Trees 53 

Table 13. Level 0 Trajectory Sets for the Accomplishment Levels 55 


Table 14. 


Level 1 Trajectories Corresponding to M^ = 0 ("no abort") ... 57 


Table 15. Base Model Trajectory Sets for Each Accomplishment Level. ... 60 

Table 16. Probability (Pr) and Expected Value (E) Results for 

Performability Analysis of the Multi-Processor Problem 61 

Table 17. Probability Results of Fault Tree Analysis of 

Cross-Training Problem 78 


Table 18. Solution Man-Hours Summary 83 



TABLE OF CONTENTS (Continued) 


Page 

LIST OF FIGURES 

Figure 1. Summary of Perf ormability Analysis Model Hierarchy 5 

Figure 2. Fault Tree With "OR" Gate 10 

Figure 3. Fault Tree With "AND" Gate 10 

Figure 4. Overview of Procedure to Implement TASRA System 

Reliability Model 15 

Figure 5. Basic Modular Procedure of Bottom-Up System Reliability 

Analysis and Prediction (for One System Level) 17 

Figure 6 . Structure of System Reliability Analysis Model 18 

Figure 7. Series-Parallel Design 20 

Figure 8 . Dual-Dual System 22 

Figure 9. Multi-Processor System Configuration 26 

Figure 10. Fault Tree for Loss of Aircraft 43 

Figure 11. Fault Tree for Divert, 0 = t=73 44 

Figure 12. Fault Tree for Landing Failure, Case 1 47 

Figure 13. Fault Tree for Landing Failure, Case 2 48 

Figure 14. Fault Tree for Landing Failure, Case 3 49 

Figure 15. Reliability Block Diagram 50 

Figure 16. Base Model State Diagram 

Figure 17. Fault Tree for Complement of Safe, On-Time Landing 54 

Figure 18. Fault Tree for Loss of Bus Communication 55 

Figure 19. Fault Tree for Loss of Aircraft 57 

Figure 20. Probability of Successful, Late Landing, 

No Cat II Requirement 


68 



TABLE OF CONTENTS (Continued) 


Page 

LIST OF FIGURES (Continued) 

Figure 21. Probability of Successful, Late Landing, 

Cat II Requirement 69 

Figure 22. Fault Tree for Safe Diversion 71 

Figure 23. Conceptual Relationship Between Learning Requirements 

and Mathematical Background 81 

Figure 24. Hypothesized Conceptual Relationships Between 

Complexity and Solution Effort 87 







COMPARATIVE ANALYSIS OF TECHNIQUES FOR EVALUATING 
THE EFFECTIVENESS OF AIRCRAFT COMPUTING SYSTEMS 

Ellis F, Hitt, Michael S. Bridgman, and Alfred C. Robinson 


BATTELLE 

Columbus Laboratories 


SUMMARY 


The objective of this study was to evaluate "performability" , a 
technique developed by the University of Michigan under NASA Grant NSG 1306 , 
for its accuracy, practical usefulness, and cost of use. Performability 
analysis determines the probabilities of occurrence for a set of mission 
outcomes. It was designed for application to fault-tolerant computing systems 
used in multiphase missions. Performability was found to require significantly 
more time to learn and understand that the fault-tree method. 

Performability and the fault trees were applied to a set of sample 
problems ranging from simple to moderately complex in nature. The problems 
involved up to five outcomes, two to five mission phases, permanent faults, 
and some functional dependencies. Two to six times as much clock time was 
required to apply performability as fault trees. Much of the performability 
effort was mechanical in nature. More ingenuity was required for the fault- 
tree solutions. Initial results from the methods often disagreed. Detailed 
analyses revealed the results were sensitive to mathematical procedures 
followed in dealing with small differences, round-off procedures, programming 
procedures, and the computer used. The use of only one method would not have 
revealed this sensitivity. As an observation, both methods appear to provide 
more precision than can be supported by available data. 

For most problems of practical interest, fault trees will be more 
useful than performability analysis. For highly complex problems, performa- 
bility may offer advantages in solution accuracy and required solution effort. 
If performability analysis is to be further developed, then tutorial material 
should be written, the probability computation program should be validated, 
and further mechanization of the technique should be investigated. 



LIST OF STANDARD SYMBOLS 


{ } 

Set 

u 

Union 

n 

Intersection 

z: 

Summation 

TT 

Product 

P( ) or Pr( ) 

Probability 

E( ) 

Expected value 

-1 


Y 

Inverse of the function 

e 

Element of (a set) 



INTRODUCTION 


Various techniques exist for evaluating the effectiveness of aircraft 
computing systems. These techniques have been used for assessing primarily the 
reliability and safety of flight control systems and digital avionics. The 
techniques are generally mathematical models which may be manually applied or 
may be implemented in computer programs. These models are normally used 
rather than testing techniques to determine the reliability to avoid the cost 
of performing reliability testing. 

With the development of fault tolerant computing systems, testing 
becomes even more impractical because of the many fault tolerant architectural 
concepts that are possible and the fact that testing requires that the system 
design be committed to hardware and software. Techniques are required that can 
be used to design fault tolerant computing systems as well as evaluate the 
design of candidate fault tolerant computer systems prior to the actual devel- 
opment of the hardware and software which implement the candidate design. New 
techniques such as that developed by the University of Michigan under NASA 
Grant NSG-1306 must be evaluated against a proven technique prior to widespread 
application in order to assure that the results obtained are valid. This in 
itself poses a problem, since many of the proven techniques either are unwieldy 
and very time consuming when applied to systems of moderate complexity, or do 
not properly treat software errors, transient failures, and other features of 
fault tolerant systems. The total system must be analyzed and not just a 
portion such as the hardware components or the software. The nature of the 
systems to be analyzed are categorized by the complexity of relationships among 
system elements under the control of a software executive program. This 
complexity can lead to an intractable analysis problem for a completely general 
system. Many of the techniques, such as that developed under NASA Grant 
NSG-1306, assume some simplification by combining or partitioning system 
states . 

The objective of this report is to present the results of an 
evaluation of the practical usefulness of the techniques developed under NASA 
Grant NSG-1306 compared to other techniques such as the "conventional" fault 
tree analysis. These comparative analyses were made based upon data obtained 
from actual application of the techniques to hypothetical systems in realistic 



2 


mission environments. The sample problems were solved using the NASA Grant 
NSG-1306 techniques (referred to hereafter in this report as "performability 
analysis"), fault tree analysis, and the Tabular System Reliability Analysis 
(TASRA) . 

The first-level problem is a simple series-parallel problem which 
was used primarily to verify the researcher's understanding of the respective 
techniques and to obtain a preliminary comparison of the relative ease with 
which the techniques could be applied to a simple problem not involving time or 
environmental dependency. The results are basically a reliability measure 
involving both levels of component failures and degraded component performance. 

The second problem considered by the analysts involved a dual-dual 
flight control system and a simple mission scenario consisting of a takeoff/ 
climb phase, a cruise phase, and a descent and landing phase with Category II 
weather at the scheduled destination. 

The third problem required the analysts to analyze a digital flight 
control system which possessed some of the features of the Fault Tolerant 
Multi-Processor (FTMP) architecture developed by C. S. Draper Laboratories. 

The objective of all analyses was to provide a comparison of the 
techniques for each of the three problems. This comparison involves assessment 
of the comparative and absolute difficulty in applying the techniques to 
arrive at the cost measure including the staff time and costs involved in 
learning the techniques as well as the staff time and costs involved in applying 
the techniques to each of the problems. 

This report presents a synopsis of the techniques considered, a 
description of the fault tolerant system designs analyzed and the scenarios 
for each of the problems, and a comparative analysis of the results obtained 
by each analyst for each of the system designs analyzed. The final section of 
the report presents the conclusions and recommendations based upon the analyses 
performed. 



3 


SYNOPSIS OF TECHNIQUES 


SYNOPSIS OF PERFORMABILITY ANALYSIS 


Performability analysis is the name given to a technique for evaluating 
the effectiveness of aircraft computing systems. The technique has been under 
development at the University of Michigan since November 1976 as a research 
project for NASA Langley Research Center under NASA Grant NSG-1306. This 
brief synopsis of performability analysis is intended to summarize the technique 
and to establish pertinent definitions. No attempt is made to explain the 
theoretical development or to explore the more sophisticated aspects and 
capabilities of the technique. Detailed material on performability analysis is 
contained in References 1-9. 


Overview 

Consider an aircraft computing system used in a multiphase mission. 
The system user (e.g., the airline) can define a set of mission outcomes, which 
is called the "accomplishment set". The accomplishment set has the form A = 

{ao, aQ., .., an) where the ai are "accomplishment levels". An example 
accomplishment level is "safe, on-time, fuel-efficient flight". The 
"performability" of the system is the set of probabilities of realizing each 
of the accomplishment levels. In mathematical terms, the performability is 

P (^o) » ^ (3-l) > • • • > P (^n) 
where P(ai) = probability of outcome occurring. 

On a detailed (i.e., component) level, the system behavior is viewed 
as a stochastic process : X = {X(t) |t£T} where X is the state of the system 

S t 

(e.g., a computer and its environment) at time t and T is the set of times 

at which the system is observed. For a mission with m phases, observations can 

be made at time zero (t ) and at the end of each phase (t , j =1,2, ..., m) . 

o j 

Let Q represent the state space of the system. Then each X(t) is an element of 
0 Let q = X(t ). A particular instance of system behavior is given by the 

^j j 

"trajectory" 

y = (q^, q2> •••> 

The space of all possible trajectories is called the "trajectory space" and is 
denoted by U. 



4 


Each trajectory peU corresponds to a single mission outcome aeA. This 
mapping is denoted as follows: 

y:U^A. 

and Y is called the "capability function". 

The two basic steps of performability analysis are: 

Step 1. For each accomplishment level aeA, find 

(a) = set of all trajectories peU which 
result in the outcome "a". 

Step 2. For each aeA, compute the probability of 
occurrence of (s) . Then, 

P(a) = Pr[y -1 (a)]. 

These steps are explained in more detail in the following subsections. 

Step 1. Find y~^ (a) ' 

For simple systems, the set (a) can be determined by inspection 
of the base model trajectories. As more complexity (e.g., more components, 
phases, interdependencies, outcomes) is introduced, it becomes increasingly 
difficult to determine (a) in a single step. A hierarchy of models can 
be used to determine the capability function (i.e., to connect the base model 
trajectory space U with the accomplishment set A). 

While any number of Intermediate models could be used, this discussion 
uses two: a mission model, also called the "level 0" model, and a function, 
or "level 1", model. The base model is called the component or "level 2" 
model. Figure 1 summarizes the model hierarchy. Each level has an associated 
trajectory space which describes the possible mission profiles in terms of the 
state space for that level. The level 0 state space could consist of parameters 
representing such mission characteristics as safety, economics, and/or 
operations. For level 1, the state space could consist of the functions to 
be accomplished, such as flight augmentation, navigation, and flight control. 

It could also include environmental variables such as the weather at the 
destination. The base level model could then be expressed in terms of the 
components which comprise the system. Model level j is related to the next 
"lowest" level (j-1) by a function denoted K j . These functions are defined by 
the nature of the system and its mission requirements. 



5 


Accomplishment Set 


Level 0 (mission) 


Level 1 (function) 



Level 2 (component) 



U2 = U 


Y = K 0 K 1 K 2 


FIGURE 1. 


SUMMARY OF PERFORMABILITY ANALYSIS 
MODEL HIERARCHY 



6 


The set y ^ (a) is formulated by sequentially constructing the 

inverses K. ^ and linking them together. For each base model trajectory 

2 ^ 
yeu , 


and 


y(y) = (KgK^K^) (y) e A 


y"^ (a) = (K_K,K„)"^ (a) e U 


'0 12 ^ 

For each mission outcome aeA, first find 

Kq ^ (a) = set of^ all mission level trajectories 
in U*^ which result in outcome "a" 

= {weU*^|KQ (w) = a}. 

Next, for each weKo"^ (a), find 

(w) = set of all function level trajectories in 
which result in mission trajectory w. 

Taking the union of these sets for all weKq”^ (a) gives 

Ki"! (Ko"l (a)) = (KoKi)-l (a) 

= set of all function level trajectories in 
which result in outcome "a". 

In a similar fashion, find 


K2"1 ((KqKi)-! (a)) = (KQK1K2)-! (a) 

= set of all base level trajectories in 
which result in outcome "a". 

= Y"^ (a). 

Each single-step inverse is accomplished using "projection" functions. 
The determination of (a) given (a) will be used as an example. 

All trajectories are expressed as matrices. (Vectors and single variables 
are special cases of matrices.) Let w e Kq~^ (a) and let cj^, denote 
the component of w. The projection function, denoted simply 
maps the matrix w onto its component, cj^. The first need is to determine, 
for each component of w, the set 

(cji) = {all trajectories U which, when mapped to 

UO , have the value cj^ for the component} 

= {v e (k1(v)) = cji}. 

The intersection of these sets for all components of w e K® is the set of 
all trajectories in U which, when mapped to U®, have c^ for the first 
component, C 2 the second component, and so on. This is exactly the set 



7 



j ' 


n 


i 



i 


i . 


of all trajectories in which map to w e U^. 

Ki"^ (w) = n Ki)“l 

All I 

Computing the (Cji (cji) sets requires knowledge of the system, its 

environment, and the mission. Computing the intersection is a purely mechanical 
process. The inverse image (w) can thus be found for every w e Kq ^ (a). 

The union of all these inverse images is (KqK^)"! (a). 

Step 2 . Compute Pr (a)] 

The first step was to determine (a) , the set of base model 
trajectories which result in the mission outcome "a", for every a e A. In 
this step, the probability of the set (a) occurring is computed. The 
method for performing the computations uses the fact that each inverse image 
of an element (e.g., Ki“l (w) ) is a Cartesian set*. Furthermore, each inverse 
of the outcome "a" (e.g., (KQKj^)“l(a)) is a union of disjoint Cartesian sets. 

The inverse image of "a" in the base model trajectories can be written as 

’ (a) = Vi U V2 U ... U Vg 

where each is Cartesian and Vi O Vj = (|) for i 5^ j . 

Hence, Pr [y“^ (a)] = Pr (Vi) + Pr (V2) + ... + Pr (Vg) 
and each Pr (Vi) must be computed. 

Suppose V is a Cartesian set and there are m phases in the mission. 
Then V can be written as 

V = R, X R- X . . . X R 
12 m 

where each Rj^ is a subset of the state space of the system. Assume there are 
n possible states in the state space. The initial state vector is 

1(0) = [Po(l) Po( 2 ) ... Po(n)] 

where Po(i) = probability the system is in state i at the start of the mission. 
The intraphase transition matrix for phase k gives the state transition 
probabilities for the state space; 

*Definitlon of a Cartesian set: Let Q be some set and let V be a subset of 
QxQ; that is, every element of V is of the form (qj^, q2) where q^^ e Q. If 
there exist two subsets of Q, say Ri and R2, such that every element of 
V is of the form (r^, r 2 ) where r^. eRi and r£ eR 2 > and every combination 
(r^, r 2 ) is in V, then V is Cartesian. 


Symbolically , 
(C£). 


i 

I 



8 


\ ' Pk 'V” 

where (i, j) = probability the system is in state j at the end of phase 
k given the system was in state i at the start of phase k. If the base model 
is a Markov process, then the p^^ (i, j) are the Markov transition probabilities. 
The "characteristic matrix" for the set V and phase k is 


■=v,k - '^,k ' 

where 

gy (i, j) = if state i is in set 

[,0 otherwise. 

Multiplying the intraphase transition matrix on the right by puts 

zeroes in those columns of which correspond to states not in (and therefore 
not in the set of trajectories which comprise V). In other words, selects 

those columns of P^^ corresponding to the phase k outcomes in the trajectory 
subspace V. 

For the last (m**^) phase, the characteristic matrix becomes the vector 

[fd)' 


F(m) = 


f(2) 


f (m) 


where 


1 if state i is in R 


f(i) = 


m 


ip otherwise. 

The use of a column vector is to sum the probabilities of being in any of 
the acceptable final states. 

Using these quantities, the probability of V is: 


Pr(V) = I(o)(P.G )(PoG„ ,G )(P F(m)). 

1 i,v z z,v m— X m— l,v m 



9 


Summary 

This synopsis of performabillty analysis summarizes the nature of the 
technique. It does not address all of the capabilities or important aspects 
of the technique, some of which are: 

o Transitions between phases 

0 "Lumping" of states to reduce the number of states 
needed for the computations 
o Modeling of non-Markov stochastic processes. 

For further details, the reader is directed to References 1, 2, and 3. 
THE FAULT TREE METHOD 


Fault trees have been widely used in many types of reliability 

analysis, since development of the technique in the early 1960's. The 

major area of application has been the study of safety problems in nuclear 
(10 ID* 

reactors ’ . A general review of applications and computational aids is 

( 12 ) 

given by Fussell, Powers, and Bennetts . The technique is conceptually 
quite simple, though application to realistic problems may be laborious. 

There are two aspects of the methodology which will be discussed 
separately: (1) construction of the fault itself and (2) computation of the 

probabilities of the events considered. In some applications, only the first 
aspect is used. In the present study, both are required. 

Construction of the Fault Tree 


The starting point for each fault tree is the selection of some 
particular event (usually an undesirable event) for study. In most problems 
there is more than one type of failure to be considered. In such cases, a 
separate fault tree must be developed for each type. Examples would be: 

(1) Loss of aircraft through control failure 

(2) Loss of all aircraft position information 

(3) Loss of Category II landing capability 

(4) Loss of RNAV capability. 


* Superscript numbers in parentheses refer to items in the Reference List. 



10 


This fundamental event to be studied is sometimes designated as the "Top 
Event", since it occurs at the top of the fault tree as usually drawn. 

Once the top event has been selected, the next step is to enumerate 
all the ways in which the top event can happen. This enumeration is done 
through use of a specific type of graph structure known as a tree, hence the 
name fault tree. 

If a given top event T can be caused by any one of the other events 
A, B or C, this can be depicted schematically as shown in Figure 2. 



FIGURE 2. FAULT TREE WITH "OR" GATE 


The notation of an "OR" gate is used to denote the fact that any one of the 
events A, B or C can cause T. The events A, B and C could be mutually 
exclusive or not. They could be statistically independent or not. Each 
of the events A, B, or C could be the top event in another fault tree. For 
example, there could be several other events which could cause A. 

If T is caused by the presence of two or more events, the dependence 
is indicated as in Figure 3. 



FIGURE 3. FAULT TREE WITH "AND" GATE 









11 


I 


} 


I 


This means that all three events A, B and C must occur in order to 
cause T. Again, A, B or C could be the top event of another tree. 

The construction of a complete fault tree proceeds from the top 
down. The top event is defined, and those events leading to the top event 
are defined. Then those events leading to the events just below the top 
event are defined. This continues until a level of fundamental events is 
reached. The nature of this fundamental level can be selected for the purposes 
of a particular problem. It could be failures of fundamental components such 
as resistors or solder joints. It could be failure of major subsystems, such 
as an inertial navigation unit or a particular computer function. 

In concept, this is all there is to the construction of fault trees. 

In considering specific problems, however, considerable ingenuity may be 
required to fit the problem into this framework. For example, in the fault 
tree, there is no explicit recognition of time. This can be overcome, at 
least in many cases, by time-related definition of events. For example, a 
top event could be defined as loss of control during a specific period of 
time, such as final approach and landing. If there is more than one time 
period of interest, it may be necessary to construct a different fault tree 
for each time period, and for each top event in each time period. Conceptually, 
this is a simple approach, but the labor involved in constructing many fault 
trees could be considerable. 

Also, it is necessary for the analyst to have a very good under- 
standing of the system being analyzed. It is important that all ways of 
reaching the top event be portrayed in the tree. There is no general way to 
assure this, but the more the analyst knows about the working of the system, 
the less likely he is to overlook failure-producing events or combinations of 
events. 


Determination of Failure Probabilities 

Once a fault tree has been developed, it may be desirable to determine 
the probability of the top event. In order to do this, it is necessary to 
know the probabilities of the fundamental events. If the fundamental events 


12 


are independent, the determination of probabilities is relatively straight- 
forward,. 

The situation of Figure 2 leads to the relationship 

where P is the probability of the top event, and P., P_ and P_ are the 
i ABC 

probabilities of the contributing events. If the probabilities are small, 
as is usually the case, this is well approximated by 




P. + P„ + P, 


In the situation of Figure 3, the probability is computed from 




P P P 
ABC 


Probability computations start at the bottom of the tree with the fundamental 
events and proceed upward, using the above formulas at each stage until the 
top event is reached. 

If events are not all independent, more complex computations may 
be required, but standard probability theory covers these cases. For problems 
of this type, special analytical methods and computer programs have been 
developed 


TASRA SYNOPSIS 


General Discussion 


The TASRA (Tabular System Reliability Analysis) model was developed 
by Battelle for performing reliability analyses of complex systems. It is 
well suited for this purpose in that the model can simulate real-world situations 
in which a malfunction occurs in the system with major portions of the system 
remaining operational, as well as a complete failure of the system. Most 
reliability models do not accommodate the malfunction situation readily. 

The TASRA model used by Battelle to analyze and predict system and 
major assembly reliability is computer-based and configured so that the 
detailed functional inter-relationships of the subject system are represented 



by the reliability model. Thus, failure of a subassembly or assembly in the 
real system will have the same effect on system operation as the reliability 
model depicts. If failure of one assembly causes a major system failure, the 
model will faithfully represent it. If failure of another assembly only 
degrades system operation, as determined by engineering analysis, the effect 
will be reflected in the probability of occurrence for that particular 
malfunction state without changing a related MTBF which is based on a failure 
state. 

In a TASRA analysis, the term "malfunction" means a sometimes accept- 
able degradation in functional performance (e.g., three channels down out of ■ 
five or transmitting at reduced power) while "failure" is used to indicate 
complete cessation of functional performance of the component or assembly 
(e.g., five channels down out of five). Thus, the failure of a subassembly 
could cause either a malfunction or failure of the next higher-level assembly 
depending on the functional interrelations between the two in the system. 

Such system-specific details can be represented by the TASRA reliability model 
used in this analysis. The model generates reliability data at each level 
of the system hierarchy, and for each failure state or defined malfunction 
state. These can be combined into a MTBF for a higher level if so desired. 

Because of the operational realism TASRA offers, it can also be 
used as a tool to assist the system designers in achieving an improved trade- 
off between cost and reliability if desired. Early in the design/development 
cycle, the first iteration of the computer program will provide reliability 
predictions based on inputs of part failure rates or estimates of assembly 
reliability at the system level at which information is available. Given 
this initial information, the computer will predict a value of system reliability. 
If it is unacceptable, the computer outputs can be studied to identify those 
areas that need improvement to bring the MTBF up to an acceptable level. 

Changes in system design or reliability of the parts procured for particular 
assemblies can be evaluated to estimate the effects on the overall system 
reliability. In parallel with this, cost studies can be conducted to determine 
the impact of these changes on the cost of the system. Thus a TASRA analysis 
provides information that can be used in establishing the relationships between 
cost and reliability of a system. 



14 


Overview of TASRA Modeling Procedure 


As Figure 4 shows, the user of the Tabular System Reliability 
Analysis (TASRA) model must generate a functional description of the total 
system, and of its subsystems, major assemblies, subassemblies, etc. The 
most important criteria in this step is to select "building-blocks" such 
that a failure of each is logically independent of the failure of the other 
building-blocks at that system level. A diagram is prepared to doucment 
this partitioning at each level. This level-by-level, set of partitioned 
functional diagrams is one of the basic inputs the analyst must prepare to 
use the TASRA computer model. Input information from system designers 
knowledgeable in total system operation is usually necessary during this step. 

Another concept essential to an understanding of the TASRA model is 
that of system states. The state of the system (from an operational reliability 
perspective) can be: 

1) Fully operational, as the specifications define it, or 

2) Failed (complete cessation of functional ability) — 
called failure state, or 

3) In one of several degraded operating modes — called 
malfunction states. 

The TASRA model can be used to predict the probability of occurrence of each 
state defined for each level of the system at which an analysis is conducted. 
This can be expressed as a mean time between failure (MTBF) or average time 
between occurrence (ATBO) . 

The analyst documents failure and malfunction state definitions work- 
ing through the system level by level. Several iterations may be required 
to develop a consistent set of state definitions for each system level. 

The decision portion of the analysis begins when the bottom of the 
procedural diagram of Figure 4 is reached. A bottom-up decision process of 
recording the system state that would occur as a consequence of each possible 
combination of 1-, 2-, and 3-at-a-time failures of the building-blocks for 
the system level under study is conducted. This is completed on standard 
tables developed by Battelle for this purpose. 



15 



FIGURE 4. OVERVIEW OF PROCEDURE TO IMPLEMENT 
TASRA SYSTEM RELIABILITY MODEL 














16 


Figure 5 represents the flow of activities that take place at a 
given level within the system while carrying out t,he TASRA procedure. The 
activities on the right deal with functional partitioning, state definitions, 
and decisions and documenting of failure consequences. The activities on the 
left of the figure relate to reliability data inputs and when necessary, 
estimates of building-block reliability. Figure 6 then puts together the 
one-level activities of Figure 5 into the analysis of the entire system. 

As illustrated in Figure 6, the procedure of Figure 5 is repeated 
at each level of the system until the analysis is completed up to the top 
level of the system hierarchy. At this point, one iteration of the TASRA 
system reliability model is complete, and reliability estimates (probabilities 
of state occurrence) are available for all of the failure and malfunction 
definitions at each system level. These probabilities may also be presented 
as MTBF's by the computer which is programmed to assume exponential distributions 
for this calculation. The calculations may be iterated as required to 
incorporate new data or changes in system structure. 



17 



I 




MTBF For 
This Level 




List of Reliability 
States 




o 




A 


Output 


Computer Calculations 
of MTBF & Probability of 
State Occurrences; 
Failure or Malfunction 
For This Level of 
System Hierarchy. 




Next Higher System- 
Level Analysis 





of Building Blocks. 


FIGURE 5. 


BASIC MODULAR PROCEDURE OF BOTTOM-UP 
SYSTEM RELIABILITY ANALYSIS AND PREDICTION • 
(FOR ONE SYSTEM LEVEL) 













18 



FIGURE 6. STRUCTURE OF SYSTEM RELIABILITY ANALYSIS MODEL 
















19 


SCENARIOS AND FAULT TOLERANT SYSTEM 
DESIGNED AND ANALYZED 


SERIES-PARALLEL DESIGN 


A simple series-parallel problem, depicted in Figure 7 was the first 
problem analyzed to verify the researcher's understanding of the respective 
techniques and obtain a preliminary comparison of the relative ease with which 
the techniques could be applied to a simple problem not involving time or 
environmental dependency. The subsystems depicted in Figure 7 each have one 
failure mode and all subsystem failures are independent. There is no failure 
sensing for each of the subsystems and there is no possibility of repair. The 
failure of each subsystem is equivalent to that of an open circuit. Subsystems 
C and D are parallel redundant with branch operation of either assuring 
system success. Branch A-B is parallel redundant with branch C-D, that is 
either branch yields system success. Investigators were instructed to assume 
an exponential permit failure rate (Poisson distribution) . The data for 
each subsystem is given in Table 1. 


TABLE 1. SERIES-PARALLEL SUBSYSTEMS 
FAILURE RATES 


Subsystem 

X 

A 

SxlO-'^ 

B 

4x10-'^ 

C 

lxl0“3 

D 

lxl0"3 


The analysts were to compute, for time equal to 10 hours, the probability 
of complete failure of the total system and the system reliability. 



20 



FIGURE 7. SERIES-PARALLEL DESIGN 






21 


DUAL-DUAL SYSTEM 


Figure 8 represents a portion of a digital flight control system which 
is dual-dual fail-operating. The servo amplifiers and monitor elements 
and servo sets connected to the actual sensors are not shown to keep the 
problem within bounds. The sensors are cross-strapped to two -remote terminals 
which convert the sensor signals to digital signals which are tranmitted, on 
command, over one of the redundant busses for each remote terminal to the flight 
control computers. 

The principal functions to be perfoinned are the state estimation 
function and the command generation/execution function. Note that a single 
radar altimeter, attitude heading reference set, and inertial navigation 
system are carried. Dual-digital air data systems, VOR/ILS receivers and 
DME receivers are carried and input to both remote terminals. Each remote terminal 
terminal has a dual redundant bus which interfaces with a bus interface unit 
that interfaces with the flight control computer bus and hence flight control 
computer. The dual redundant data bus also interfaces with the remote terminal. 

In other words, aft remote terminal one and sensor remote terminal one have 
dual redundant busses LA and IB and aft remote terminal two and sensor remote 
terminal two have busses 2A and 2B. Flight control mode selection is redundant 
and interfaces with each of the flight control computers through a serial 
input/output panel. 


Scenario 


The mission consists of three phases. The first phase is a takeoff/ 
climb phase and is fifteen minutes in duration. The second phase is a cruise 
phase of forty-five minutes duration. The descent and landing phase 
consists of fifteen minutes. Assume all equipment is operating at takeoff. 
During cruise, weather conditions at the scheduled destination develop requiring 
Category II capability. As stated in FAA Advisory Circular 120-29, Category II 
conditions require both ILS and glide slope receivers to be operable, the 
radar altimeter to be operable, both flight control computers to be operable, 
as well as an attitude reference source such as the attitude heading reference 




INS 300 

AUR 800 

Radar Alt. 700 

Remote Terminals 500 

Fit. Cntrl Mode Select 2000 


to 


FIGURE 8. DUAL-DUAL SYSTEM 


J -- J ... J . ) -.- J 1 J J J ... J J .__.J ...J I . , J J J ; 












23 


or inertial navigation system. Both digital air data systems must also be 
operable. Table 2 lists the components required for each of the mission phases. 

For the purpose of the analysis, the final approach and touchdown phase 
lasts for two minutes. 

Table 2 lists the equipment required for a safe flight, the equipment 
required to initiate the Category II landing at time equal to 73 minutes, and 
the equipment required to complete the Category II landing. The analysts 
calculated the probability of failure to initiate the landing and hence divert 
to the alternate airport due to loss of equipment required to initiate the 
landing, probability of successfully landing at the original destination, and 
probability of loss of the aircraft (unsafe flight) using the data in Figure 8 
and Table 2. 

At all times, each component is either totally operating or totally 
failed. The hardware and software associated with detecting component failures 
and removing failed elements is assumed to be perfectly accurate and perfectly 
reliable. Failures in each component have an exponential (Poisson) distribution. 
The Category II Approach and Landing can be aborted any time until T = 75 minutes. 

MULTI-PROCESSOR SYSTEM 


Scenario 

The scenario for the third problem involved a mission consisting of 
five flight phases which are given in Table 3 with the corresponding duration of 
each phase and probabilistic weather at the destination at the time of scheduled 
departure. 

The takeoff phase is assumed to start when the throttles are advanced 
to begin the takeoff roll after taking the active runway. The landing phase 
ends when the aircraft exits the active runway after decelerating to turnoff 
velocity. The weather at the destination is cloudy and the probability of the 
weather requiring Category II capability is 0.05 at the beginning of cruise. 

System Design 

The system configuration in Figure 9 represents a portion of a digital 
flight control system which possesses some of the features of the Fault Tolerant 
Multi-Processor (FTMP) architecture developed by C. S. Draper Laboratories. 



TABLE 2. COMPONENT REQUIREMENTS FOR MISSION PERFORMANCE LEVELS 


1 MINIMUM COMPONENT REQUIREMENTS 

Safe Flight Initiate CAT II Complete CAT II 

Component (both phases) Landing (T=73 min) Landing (T=75 min) 


Radar Alt. 

Digital Air Data 

AHRS 

INS 

VOR 

DME 

Sensor RT 
PU-I 
PU-II 
FCMS 
Aft RT 



1 

1 


2 

2 

2 


1 

1 


where 

PU = processing unit 

PU-I: one FCC with one associated BIU 
PU-II: one FCC with both associated BIUs 


J 


J - J -J ) J J - J .^--J _.J ... J -...J ...J „.J J 


ho 


J J J 


J ... J 



TABLE 3. MISSION FLIGHT PROFILE 


Flight Phase 

Duration (minutes) 

1. Takeoff 

3 

2. Climb-Out 

8 

3. Cruise 

51 

4. Let-Down 

10 

5 . Landing 

3 


A quintuple redundant bus structure is employed with each of the 
five bus sets consisting of six lines. Two of the six lines in a bus set are 
dedicated to processor transmission (output) to common memory and registers; 
one line of the six is dedicated to common memory transmissions (output); 
one of the six is dedicated to clock generator transmission; one of the six is 
dedicated to I/O port input transmissions; and the last of the six is dedicated 
to I/O port output transmissions. 

Each processor contains an independent processor-cache memory 
module, and common memory modules which communicate with other processors via 
the redundant serial busses. All information processing and transmission is 
conducted in triplicate by a triad of processors so that local voters in 
each module can detect errors. Each processor triad acts as one functional 
processor, of which several can work in parallel. The core software is assumed 
to handle fault detection, diagnosis, and recovery in such a way that appli- 
cations programs do not need to be involved. 

The procedures of each job reside in common memory. Each job step 
is scheduled to occur at a given time or following a given event. Relevant 
dispatch data for each scheduled job step is kept in a queue. Job assignments 
are all made on a floating basis, so that any available processor triad is 
eligible to execute any job step. When a processor fails, its triad will 
attempt to complete its current job step, which it will do unless a second 
failure occurs during the milliseconds required to complete the job step. 

When the job step is complete, one of the other processor triads is assigned 




FIGURE 9. MULTI-PROCESSOR SYSTEM CONFIGURATION 


J - J - -J - ] — J .--J ) .1 J - J J ...J ...J ....J ,...J ^,.J 


to 

ON 


J ,_._J 









27 


the task of controlling the reconfiguration of the "injured" triad. Modules 
can be retired and/or reassigned in any configuration. Reconfiguration 
is carried out routinely from second to second to search for latent faults 
in the voting and reconfiguration elements. 

The functions (and their priority) and subfunctions (tasks) to be 
performed are given in Table 4. The priority of the tasks (and associated job 
steps) is used by the processor triads in their selection (from common memory) 
of the next job step to be executed. For the purpose of this problem, only 
the functions' priority was considered. The functions' nriority and criticality 
correspond to those given in Table 5. 

The sensors interfacing with the sensor remote terminal, and servo 
amplifiers, monitor elements, and servo sets (connected to the actual actuators) 
interfacing with the actuators remote terminal were not considered to keep 
the problem within bounds. In working this problem, it was assumed that: 

(1) All processors, remote terminals, and the MIL-STD-1553A 
bus interface are properly functioning at the beginning 
of the take-off phase, t = 0. 

(2) Only permanent failures need be considered; that is, 
each component is either totally failed or totally 
operating. 

(3) All components are nominally required to function 
during the entire flight. 

(4) Fault detection and reconfiguration are assumed to be 
perfectly accurate and no second failures occur during 
reconfiguration (Admittedly, this is a bad assumption 
since a finite amount of time is required for recon- 
figuration but the problem analysis objective does not 
suffer from this assumption). 

(5) All bus sets and the MIL-STD-1553A dual bus (itself) 
are perfectly reliable. 

(6) The Flight Management function is required from t = 0 to 
t = 72, i.e. for Phases 1-4 in order to arrive on time. 

(7) The remote terminals and the MIL-STD-1553A bus interface 
with the MIL-STD-1553A busses have redundant input/output 
(I/O) channels A and B with equal reliability. In order 
for data transfer and hence safe flight to be successful, 
the conditions in Table 6 must be satisfied. In other 
words, a sensor -to-bus interface and a bus interface to 
actuator channel must exist for data transfer and hence 
safe flight. 



28 


TABLE 4. AUTOMATIC FLIGHT FUNCTIONS 


Priority 

Function 


Subfunction 

3 

Flight Augmentation Control 

1. 

Artificial Feel 



2. 

Pitch Trim 



3. 

Stability Augmentation 


a. Mach/IAS Augmentation 

b. Pitch Augmentation 

c. Wing-Load Alleviation 

Augmentation 

d. Flutter Suppression 

Augmentation 

e. Ride Control Augmentation 

f. Roll Augmentation 

g. Yaw Augmentation 

4. Rudder Ratio Changer 

5. Direct Lift Control 

6. Aileron Gain Programming 

7. Flap Limiting 

2 Flight Control Attitude Hold 

Heading Hold 
Control WHieel Steering 
Altitude Hold 

Automatic Approach and Landing 
Autothrottle 

Air Speed Select 
Air Speed Hold 
Missed Approach 
Back Course Localizer 
Flight Director Signals 
Heading Select 
Course Select 

Flight Envelope Protection 

Performance Management 
Lateral Navigation and Guidance 
Heading Select/Hold 
Course Select/Hold 


1 


Flight Management 



29 


TABLE 4. (Continued) 


Priority 


Function 


Subfunction 


Flight Management 
(continued) 


Vertical Navigation and Guidance 
Vertical Speed Select/Hold 
Altitude Select/Hold 
Thrust Axis Control 
Airspeed/Mach Hold 
Airspeed/Mach Select 
4-D Guidance 

Electronic Flight Instrument 
System Management 
Data Update Interface 
Inertial Reference System 

Initialization and Heading Set 





30 


TABLE 6. MIL-STD-1553A DATA TRANSFER LOGIC 




MIL- STD- 

■1553A 




- 

Sensor 

Bus Interface 

Actuator 

Safe 


Channel 

Channel 

Channel 

Flight 


A 

B 

A 

1 

A 



1 

Y 

Y 

Y 

Y 

Y 

Y 

Y 

i 

Y 

Y 

Y 

Y 

Y 

N 

Y 

-—I 

Y 

Y 

Y 

Y 

N 

Y 

Y 

j 

Y 

Y 

Y 

Y 

N 

N 

N 


Y 

Y 

Y 

N 

Y 

Y 

Y 


Y 

Y 

Y 

N 

Y 

N 

Y 


Y 

Y 

Y 

N 

N 

Y 

N 


Y 

Y 

V 

X 

N 

N 

N 

N 


Y 

Y 

N 

Y 

Y 

Y 

Y 

i 

Y 

Y 

N 

Y 

Y 

N 

N 


Y 

Y 

N 

Y 

N 

Y 

Y 


Y 

Y 

N 

Y 

N 

N 

N 


Y 

Y 

N 

N 

: 

: 

N 


I 

t 

• 

t 


; 

N 

1 

Y 

N 

Y 

Y 

Y 

V 

X 

Y 


Y 

N 

Y 

Y 

Y 

N 

Y 


Y 

N 

Y 

Y 

N 

Y 

Y 


Y 

N 

Y 

Y 

N 

N 

N 

: 

V 

X 

N 

Y 

N 

Y 

Y 

Y 


V 

N 

Y 

N 

Y 

N 

Y 


Y 

N 

Y 

N 

N 

Y 

N 

. J 

Y 

N 

Y 

N 

N 

N 

N 


Y 

N 

N 

Y 

Y 

Y 

N 

1 

N 

Y 

Y 

Y 

Y 

Y 

W 

Y 


N 

Y 

Y 

Y 

Y 

N 

Y 

' , 

N 

Y 

Y 

Y 

N 

Y 

Y 

. i 

N 

Y 

Y 

Y 

N 

N 

N 


N 

Y 

Y 

N 

Y 

V 

X 

N 

1 

1 

; 

• 

• 

• 


• 

N 


N 

Y 

N 

Y 

Y 

Y 

Y 

n 

1 

N 

Y 

N 

Y 

Y 

N 

N 

N 

Y 

N 

Y 

N 

Y 

Y 

. 1 
i 


n 


31 


(8) Each triad performs a single function as shown in 
Table 7. With less than three processors out of ten 
functioning, the aircraft is assumed to crash. 

(9) The subsystems permanent failure rates are constant 
(exponential model) . The reciprocals of the failure 
rates (MTBF) are given in Table 8. 


The analysts computed the following mission outcomes: 

(1) Probability of successful on-time landing at the original 
destination. 

(2) Probability of successful, but late, (based on flight 
management loss prior to landing phase) landing at 
the original destination and the expected economic 
penalty for inefficient flight (see Table 9). 

(3) Probability of diverting and safely landing at the 
alternate destination. Diversion only occurs during 
phases 3, 4, and 5 if CAT II capability is required 
and not available. The expected economic penalty was 
computed using Table 9 data. It was assumed that the 
flight time to the alternate is the same as the remaining 
flight time to the original destination. 

(4) Probability of aborting (due to loss of all spares 
with only a triad remaining and safely landing at 

the origin during phases 1 and 2. It was assumed that 
abort at end of phase 1 transitions to phase 5 (with 
VFR) ; abort at end of phase 2 transitions to phase 4 
followed by phase 5 (with VFR) . 

(5) Probability of loss of aircraft during the mission; and, 
probability of loss of aircraft during each phase. 


MULTI-PROCESSOR DESIGN MODIFIED 
FOR CROSS-TRAINING 


The system design used for the cross-training of the analysts on 
the respective fault tree and "perf ormability analysis" methods was a variation 
of the multi-processor design previously analyzed. For this case, the same 
design applies but the reliability of the remote terminals and bus interface 
units was assumed to be perfect. Only the reliability of the ten processors 
was considered. 



TABLE 7. PROCESSORS REQUIRED FOR FLIGHT FUNCTIONS 



Process 

ors 


Triads 

Flight 

Functions Operating 

Functioning 

Failed 

Spare 


Augmentation 

Control 

Management 

10 

0 

1 

3 

Y 

Y 

Y 

9 

1 

0 

3 

Y 

Y 

Y 

8 

2 

2 

2 

Y 

Y 

N 

7 

3 

1 

2 

Y 

Y 

N 

f) 

/. 

0 

2 

Y 

Y 

N 

5 

5 

2 

I 

Y 

N 

N 

4 

6 

1 

1 

Y 

N 

N 

3 

7 

0 

1 

Y 

N 

N 

2 

8 

0 

0 

N = Land 

Immediately 


1 

9 

0 

0 

N = Crash 


0 

10 

0 

0 

Crasli 





J 


J 


.J ;„j 


J - 1 


J 


J 


1 



33 


TABLE 8. SUBSYSTEM DATA 


Subsystem MTBF (Hours) 


Processor 


100 

Bus Interface Channel A 


500 

Bus Interface Channel B 


500 

Remote Terminals Channel 

A 

500 

Remote Terminals Channel 

B 

500 


TABLE 9. ECONOMICS PENALTIES DATA 


1. Inefficient Flight (i.e.. Loss of Flight Management [HI]) 


ca 

c 

( 1 ) 

eu 



Phases 


Loss of FM during phase j (but not prior to phase j) causes an economic 
penalty of $D^ . 

2. Diversion and Safe Flight 

= $ penalty 
Assume D^ > 10. D^ 

3. Abort and Safe Return to Point of Origination 
D^ = $ Penalty 




34 


The same scenarios used for the multi-processor problem was used in 
the cross-training problem. The analysts were instructed to compute the 
probability of safe on-time arrival at the original destination. If time and 
funds permitted, the analysts were also allowed to compute the probability 
of successful late landing at the original destination, probability of 
diversion with a safe landing, and the probability of loss of the aircraft. 



35 


ANALYSIS RESULTS 


SERIES-PARALLEL PROBLEM 


The series-parallel problem was an elementary problem used primarily 
for learning purposes by the analysts concerned with fault trees and performa- 
bility analysis. Solutions using those two techniques were quickly and easily 
obtained; they were numerically equal. One man-hour was expended for performa- 
bility analysis and one and one-half man-hours were used for the fault-tree 
analysis . 

The TASRA solution was also quickly obtained, but it was not equiva- 
lent to the other two solutions. A model error which had the net effect of 
interchanging failure rates among components was located. Following correction 
of the error, the TASRA results agreed with the other results. One man-hour 
and nine system seconds of computer time were expended on the TASRA analysis 
and documentation. 


DUAL-DUAL SYSTEM ANALYSIS 


Summary of Results 

Table 10 summarizes the results of applying the three analysis tech- 
niques to the previously described dual-dual system. Numerical results for 
performability analysis and the fault-tree approach are in close agreement. 

The TASRA values exhibit some disparities compared to the other values. The 
differences apparently are caused by the procedure used to combine components 
into subsystems and then the system, since it assumes the aggregated entities 
will have exponential failure distributions. The man-hour figures are for 
problem formulation and solution; they do not include time to check the results 
to resolve numerical differences between techniques. 

A summary of the performability analysis solution is given in the 
next subsection. Details are provided in Appendix A. The fault-tree analysis 
follows the performability solution. The TASRA solution is then described. 



36 


TABLE 10. DUAL-DUAL SYSTEM ANALYSIS RESULTS 
FOR THE THREE TECHNIQUES 



Performability 

Fault Trees 

TASRA 

Mission Outcome Probabilities 




Safe Flight and Landing at 
Primary Destination 

0.974212 

0.974245 

0.974236 

Safe Flight and Landing at 
Alternate Destination 

0.025763 

0.025701 

0.025740 

Loss of Aircraft 

25.98x10"^ 

25.98x10"^ 

23.69x10"^ 


Man-Hours for Solution 


46 


30 


25 







37 


I 

I 

( 


Performability Analysis Solution 


Analytic Summary 

The performability analysis solution of the dual-dual system problem 
used three model levels — mission, function, and component — in addition to the 
accomplishment set. A concept of "independence with respect to mission out- 
comes" was used to accommodate the large number of trajectories in the base 
(i.e., component level) model. Probability computations were performed using 
the matrix multiplication procedures of performability analysis. The following 
paragraphs summarize the models and computations used to analyze the dual-dual 
system; details are provided in Appendix A. 

The accomplishment set is A = (Sq, a^} where the a^ represent 
specific mission outcomes (i.e., accomplishment levels) of interest. In 
particular, 

a^ represents safe flight and successful landing at 
the primary destination/ 

a^ represents safe flight and successful landing at 
the alternate destination; 

a^ represents loss of the aircraft (unsafe flight or 
unsuccessful landing). 

The base model is defined in terms of thirteen component types used 
in the dual-dual system and is also called the component level, or level 2, 
model. Two phases of the mission are used. Phase 1 is the time from takeoff 
(t = 9 minutes) to initiation of landing (t = 73 minutes). Phase 2 is the 
time from initiation of landing (t = 73 minutes) to completion of landing 
(t = 75 minutes) . The specific variables used are x^^ , the number of units of 
component type i (i = 1, 2, ..., 13) which are fault-free for phase j (j = 1, 2). 
Each base model trajectory is represented by a 13-by-2 matrix in which rows 
correspond to component types and columns correspond to phases . Each such 
trajectory corresponds to a single accomplishment level. 

As described in the synopsis of performability analysis, the first 
step is to determine the set of base model trajectories which results in the 
mission outcome a^ for every a^ in A. Two model levels — mission and function — 
were used to form the logical connection between the base model and the 
accomplishment set. 



38 


The mission level (level 0) model consists of two binary variables 

and representing the conditions required for "no diversion" and for 

"safe flight", respectively. Each mission level trajectory is of the form 
""h 1 

,1 • The set of mission level trajectories corresponding to each a. and A 

^2 ^ 
was determined directly from the definitions of the a^ and of h^ and h 2 > 

These inverses are: 




-1 


(a^) = 


(a2> = 


where * indicates "any possible value" (in this case, 0 or 1). 

The function level (level 1) model consists of four variables 
(f^, i = 1, 2, 3, 4), one for each function. A function is defined as the set 
of jobs performed by a group of components. Groups are comprised of components 
which are related in some way. For example, the digital air data, attitude 
heading reference system, and inertial navigation system have interacting roles 
during the mission. Each function variable is defined as follows: 

2 if function i meets the "no diversion" and 
"safe flight" requirements; 




1 if function i meets the "safe flight" but not 
the "no diversion" requirements ; 


\0 otherwise. 

A function level trajectory is then a column vector of the form 

■f. 


The inverse image of each mission level trajectory in the function level 
trajectory space was determined using the process described in the synopsis 
of performability analysis. Details are given in Appendix A. The function 
level inverses of the accomplishment levels are shown in Table 11. 



39 


TABLE 11. FUNCTION LEVEL INVERSES OF THE 
ACCOMPLISHMENT LEVELS 


Accomplishment Level, 


Function Level Inverses, y 


-1 


(ai) 


Uq (safe, no diversion) 


(safe, diversion) 


2 (unsafe) 





— 




— — 


— — 


r 

1 



2 


2 


2 


1 

or 

2 


1 


2 


2 


1 

or 

2 


1 or 2 


1 


2 


1 

u 

o 

2 

> 

1 or 2 


1 or 2 



1 






~ — 




L. 



— — 








— 


0 


1 or 2 


1 or 2 


] 

or 

2 


* 


0 


1 or 2 


] 

or 

2 


* 


* 


0 


] 

or 

2 


* 


9 

* 


* 



0 



— 


_ ^ 




— 


— 


represents "any possible value" (i.e., 0, 1 or 2) 


40 


The process of determining all base model trajectories which map to 

a given function level trajectory (i.e., the inverse image of the function 

level trajectory) is detailed in Appendix A. Basically, the approach is to 

find the inverse image for each component of the function level trajectory 

and then form the intersection of those images. 

A practical problem encountered at this point was the large number 

(4 X 10^^) of mathematically possible base level trajectories. Eveiry such 

trajectory must appear exactly once in the complete group of inverse image 

sets. Some method of writing many matrices in a reasonable amount of time 

A 

was needed. Use of Cartesian sets allows for efficient representation of 
sets. Notational conveniences such as using to represent "any possible 
value" provide some limited help. Use of these approaches would still leave 
a burdensome task. The approach which relieves the burden is to take advantage 
of the mutual independence of groups of components. For example, the effect 
of the processors and bus interface units on the mission outcome is independent 
of the effect of the radar altimeter, VOR, and DME. 

The concept of independence with respect to mission outcomes was used 
to divide the thirteen component types into four groups, each of whose trajec- 
tories were individually analyzed. The functions used in the previous model 
were chosen to correspond exactly with the independent component groups of the 
base model. A separate state diagram was then created for each component group. 

Probability computations, the second step of performability analysis, 
were made using the four component groups. For each group, the computational 
procedure used the intraphase transition matrices, characteristic matrices, and 
vectors as described in the synopsis of the technique and References 1, 2, 3, 
and 9. The mission outcome probabilities for the four component groups were 
then combined in a straightforward way to determine the probability of each 
accomplishment level. An HP-25 hand calculator with eleven significant digits 
was used for the computations. The performability analysis results are: 

Pr (safe flight and no diversion) = 0.974212 

Pr (safe flight and diversion) = 0.025763 

Pr (aircraft is lost) = 25.98x10 


A set V is Cartesian if V = x ^2 x ... x wnere represe 
of all projections of elements of V onto their i^'^ coordinates. 





41 


r 


n 

I 




r 


r 

I 


j 




I 

I 


Solution Effort 


Application of perf ormability analysis to the dual-dual system 
required a total of 46 man-hours. Of this total, 38 man-hours were used to 
formulate the model hierarchy, determine the inverse images (y ^ (a^)) of the 
accomplishment levels , and perform the probability computations . Another 
8 man-hours were used to check the probability computations. Because of 
numerical discrepancies among the three techniques, the entire solution was 
then checked with an expenditure of 18 man-hours. 

Discussion 


Several difficulties were encountered in this application of performa- 
bility analysis. The first significant problem was defining the model hierarchy. 
Both the accomplishment set and the base level model were readily defined using 
the problem statement. However, it was not clear how to define intermediate 
models to logically connect these two views of the system. 

The large number of distinct component types (13 in the base model) 
result in over 10^^ mathematically possible trajectories. Some method of 
decomposing this large state set was obviously needed. This was the motivation 
for dividing the base model into four component groups which were mutually 
independent with respect to their effects on the mission outcome. These groups 
provided the basis for defining four "functions” and the function level model. 

The mission level model, which lies between the function level and 
the accomplishment set, was straightforward to define and use. While the 
mission level model could have been omitted from this problem, its use provides 
a better representation of perf ormability analysis. 

One conceptual error was made in determining groups of components 
which were independent with respect to their effects on the mission outcome. 

The error was an oversight regarding a dependency involving five components 
from two different groups and a landing requiring Category II weather capa- 
bility. As shown in Appendix A, the probability of the event representing the 

-14 

error is on the order of 10 . Since the error was quite small, the proba- 

bility computations were not changed. 



42 


It should be noted that the error was not a result of the performa- 
bility analysis technique. The error can be attributed to the complexity of 
the problem and the analyst's attempts to decompose it into manageable pieces. 
A supplementary analysis using the five components was performed to satisfy 
the analyst that the problem could have been formulated in a manner to capture 
the dependency. The associated state diagram involved 72 states. The associ- 
ated state transition matrix would have been tedious to complete and use, 
but it would not have required any ingenuity on the part of the user. 

Fault Tree Solution 


Analytic Summary 

In this problem, three different probabilities are required. Accord- 
ingly, three different fault trees must be prepared. 

Loss of Aircraft Control . The fault tree for loss of control is 
shown in Figure 10. 

Failure to Initiate Cat II Landing . The fault tree for this case is 
shown in Figure 11. 

Treatment of the Landing Phase . The landing phase differs from the 
earlier phase in that the operating complement of equipment is not uniquely 
defined at the start. In order to initiate the Cat II landing, all components 
must be operating with the following exceptions: (a) either one or two DME 

receivers, (b) either the AHRS, the INS, or both. Since the DME receiver is 
not involved in the landing phase, the question of whether one or both were 
operating at the start does not affect landing probabilities. Heading 
reference is needed during the landing, however, and the probability of 
completing the landing will definitely depend on which of the attitude equip- 
ments are operating at the start of the landing. 



1 




~i ■'■'1 


I 


'I ■ 


FIGURE 10. FAULT TREE FOR LOSS OF AIRCRAFT 



23^41 X 10 


-6 


V 



Alin 

FAILS 

' — y 

IBS 

FAILS 

SENSOR 
REM. I 


FAILS 




1 PU 1 
1 FAILS 

J 



MODE Moot 

SEL 1 fails SEL 2 FAILS 


L, 


REH 1 

AFT 

FAILS 

REM 2 

FAILS 


2.49844 X 10 


on 


P, 


’ - "'‘I’ fid I ' 2000 '> ' * 10 


-4 


Pj ’ 1 - exp (- gg X BOO ^ “ 1.56128 X 10 


Pj, * 1 - exp (- f,o X 300 


) * 4.15800 X 10 


-3 


FCC I 
FAILS 


Pj . Pq - 1 - exp (- ^ P-goo ) " 2-«688 X 10 
>’7 • Pio ■ ’ - «P «- (SiTW ) ” 

•’a ■ *’9 ■ Pii ’ >’i 2 " ’ - '“P {- So yW J 

P ,3 ■ Pi 4 ' 1 - exp (- gjj-^ggo ) ’ x lo'^ 

P ,5 ■ P,g - 1 - exp (- gg-^j 55 ) ^ 2.49688 x lo'^ 


-3 


LOSS OF 


LOSS OF 

FCC 1 nos 

(eio ) 

FCC 2 nus 

INIERFACE 

vcy 

IHIL/.FACE 


FCC 2 



FAILS 




1.56055 X 10 



FCC2 
DIU 2 
FAILS 


U) 























FIGURE 11. FAULT TREE FOR DIVERT, 


.84895 X 10 



-3 


LOSS OF ONE 
FCC2 BUS 
INTERFACE 

/ 


A 



^10 ” ‘’l3 





f ns 

FCC 1 

FCC 1 

FCC 2 

V — ' 
FCC 2 

OIU 1 

niu 2 

DIU 1 

DIU 2 

fails 

FAILS 

FAILS 

FAILS 


4 ^> 


J 


J 


























45 


logic : 


The following definitions will be used to develop the computational 



= successful initiation of Cat II landing 

= successful completion of Cat II landing 

= both AHRS and INS operating at landing initiation 

= AHRS operating at landing initiation, but INS has failed 

= INS operating at landing initiation, but AHRS has failed 

= meeting all the non-heading requirements for landing 
initiation. 


The principal task is, of course, to compute the probability of a successful 
landing (i.e., to determine Pr[E^]). There are three and only three starting 
conditions for the landing; (1) and (2) E^ and E^, and (3) E^ and E^ 

It follows that 


= Pr[Ej^ and E^^]Pr [E^ | E^^ and E^^] 
+ Pr[E^ and E^]Pr[E^jEj^ and E^] 
+ Pr[E^ and E^]Pr[E^jEj^ and E^] 


Since E^ and E^^. are associated with different equipment, they are independent 
events. It follows that 


Pr[Ej^ and E^^] = Pr[E^]Pr [E^^] 


Similar arguments can be made for the other two terms so that 
Pr[E^] = Pr[Ej^]{Pr[E^ 3 .]Pr[E^lEj^ and E^^.] 

+ Pr[E^]Pr[E^lEj^ and EJ 

+ Pr[E^]Pr[E£lEj^ and E^] } 

It can be seen from Figure 2 that Pr[E ] = 0.974299. Also: 

K 

^’^'■^AI^ " 60x800 60x300^" 0.994438 

Pr[E^] = exp { gg^gQQ } [ 1-exp { ^Q xSOO ^ ^ "" 4.04115x10 
Pr[E^] = [l-exp{gQ^gQQ}]exp{^Q^200^" 1.51353x10 



46 


The conditional failure probabilities are developed in Figures 12, 13, and 14. 
Substituting the results into the above equation for Pr[E^], 

Pr[E^] = 0.974299(0.994438 (1-4.76372x10"^) 

+4.04115x10"^ (1-8.92986x10"^) 

+1.51353x10“^ (1-15.8738x10"^)} 

= 0.974299(0.994391 + 4.04079x10"^ + 1.51329x10"^} 

= 0.974245 

Solution Effort 


Determination of the time required for this problem is somewhat 
difficult because the problem went through some re-definition after it was 
initially stated. In addition, some time was lost in the solution by an 
erroneous interpretation of the problem statement which was finally developed. 
It is estimated that some 30 hours would have been required had these problems 
not been present. Actually, some 45 hours were spent on all activities 
associated with this problem. 

TASRA Solution 


Analytic Summary 

Figure 15 depicts the reliability block diagram of the dual-dual 
system used for constructing TASRA inputs. Each assembly was given a set of 
identifying numbers to uniquely reference its possible states. For example, 
assembly 20 was the sensor terminals. The numbers 20.0, 20.1, and 20.2 refer 
to the states "both sensor terminals fault free", "both terminals failed", and 
"one terminal failed", respectively. Except for the fundamental assemblies, 
each assembly consists of a number of subassemblies. A logic table was created 
for each such assembly to specify the assembly state resulting from each 
possible combination of subassembly states. Finally, the failure rate data 
were input. 

Two runs of TASRA were used to derive the numerical results. The 
first run corresponded to the first phase (i.e., takeoff to initiate landing). 





) rl 


1 


1 


Case 1: Both AHRS and INS Operating 


Failure to complete 
landing 


4.76372 10 


-5 


f— ^ 

iffi 

,r 


* 

i 

L" 

Ljl-, ^ 

* 

it 


Loss of radar! 
altimeter 


Loss of 
heading 
reference 


Loss of both I 
VOR rcvrs 


14776175 

Radar V — y 
altimeter falls 


-5 


4.62525n 

!< 10 ' 


3.33328X10 




14.16655 
10 


-5 


VORl 
E6 ) fallsl ^-7 


1.11108 
XlO 

6.66644x10 j 

sensor 


44414 

xlO 



Loss of 


Loss of 

AHRS 


INS 

output 




11.11105 
10 


V0R2 falls 
-4 


4.16658X10 


Loss of 
AHRS 


Loss of 
both DAD 



/AN^ 


2.77772X10 


-10 


FCCl 

falls 


AH^ falls 


DADl falls 


DAD2 falls 



-5 


3.33328x10 


BIUl 

fails fallwP 


FCC2^^ FCC2 
Blur E14\ BIU2 
fail^ y fails 


■ ) 


4 > 


FIGURE 12. FAULT TREE FOR LANDING FAILURE, CASE 1 




































































50 



FIGURE 15. RELIABILITY BLOCK DIAGRAM 


























51 


The second run corresponded to the landing phase. This breakdown was necessary 
to model the various states the system could occupy at the transition between 
the two phases . The results of the two runs were manually combined to derive 
the following results : 

Pr (safe flight and Cat II landing) = 0.974236 
Pr (safe flight and diversion) = 0.025740 

Pr (loss of aircraft) = 23.69x10 ^ 

Solution Effort 


The man-hours required to perform the TASRA analysis were estimated , . 
to be 25 hours. The actual time was somewhat greater, but it included effort 
spent resolving computer difficulties due to a system upgrade and interpreting 
the problem statement. In addition, 128 system seconds of computer time (on a 
CDC 6500) were used. This included creation and manipulation of input files 
and production of full TASRA documentation. 

Discussion 


TASRA was not designed to model multi-phase mission problems. It was 
therefore necessary to manually combine results for the different phases. This 
involved conditional probabilities. Some conceptual difficulty was encountered 
in ensuring the probabilities were correctly combined. 

A considerable portion of the solution effort was devoted to the 
input logic tables. Every mathematically possible combination of subassembly 
states had to be evaluated for its effect on the assembly state. This task 
required detailed knowledge of the dual-dual system. 

In addition to mission outcome probabilities, TASRA provided output 
on the unreliability "drivers". Also, additional computer runs to test vari- 
ations of the system could be made using few man-hours. 

Some of the numerical differences between TASRA and the other 
techniques can be attributed to the procedure used to combine subassembly 
probabilities into assembly probabilities. Each subassembly failure distri- 
bution is assumed to be exponential. TASRA assumes the assembly probabilities 



52 


are also from exponential distributions. The errors associated with this 
assumption are typically quite small. However, since the dual-dual problem 
involves small probabilities, the relative error may be significant. 


MULTI-PROCESSOR SYSTEM ANALYSIS 


Summary of Results 

Table 12 summarizes the results of applying perf ormability analysis 
and fault trees to the previously described multi-processor system. The 
performability analysis solution is described in the next subsection and is 
followed by the fault tree solution. 

Performability Analysis of the 
Multi-Processor Problem 


Analytic Summary 

Five specific outcomes were required by the problem statement. 

These outcomes defined the accomplishment set: 

A { a^ , ^2^ ^3* ^4^ 

where the mission outcome characteristics associated with each accomplishment 
level are: 

a^ - safe, on time, original destination; 

a^ - safe, late, original destination; 

a^ - safe, diverted to alternate destination; 

a^ - safe, aborted to point of origin; 

a, - unsafe. 

4 

The mission (level 0) model used four binary variables to express 
the mission outcomes. The variables were as follows: 

_ lo if the flight is not aborted 
1 1 1 otherwise 



TABLE 12. MULTI-PROCESSOR SYSTEM RESULTS FOR PERFORMABILITY 
ANALYSIS AND FAULT TREES 


Quantities* 

Performability 

Fault Trees 

P (safe, on-time, original destination) 

0.99394882 

0.99394863 

P (safe, late, original destination) 

0.00600770 

0.00600766 

E (penalty for late arrival) 

$53.3502 

$53.3525 

P (safe, diversion) 

3.5x10"^ 

14.0x10"^ 

E (penalty for diversion) 

$00.0007 

$00.0028 

P (safe, aborted flight) 

0 

0 

E (penalty for aborting) 

0 

0 

P (aircraft lost, phase 1) 

70.0x10"^ 

69.99x10"^ 

P (aircraft lost, phase 2) 

869.0x10"^ 

870.4x10"^ 

P (aircraft lost, phase 3) 

28.8080x10"^ 

28.8957x10- 

P (aircraft lost, phase 4) 

10.3387x10"^ 

10.3873x10"' 

P (aircraft lost, phase 5) 

3.3978x10"^ 

3.2921x10"' 

P (aircraft lost) 

43.4835x10"^ 

43.5155x10"' 

E (all penalties) 

$53.3509 

$53.3553 

Man-hours for solution 

59 

22 


* P indicates probability and E indicates expected value. 




54 


_ I 0 if the flight is not diverted 

2 I 1 otherwise 

^ _ 1 0 if the flight is on time 

3 1 1 otherwise 

^ _ ) 0 if the flight is safe 

4 |1 otherwise. 

The level 0 trajectory space was the set of four dimensional vectors: 



/ 

fM “ 


II 

o 


1 

^2 

^3 

1m. - 0, 1 S 

1 


M, 




4j 



The subsets of U° corresponding to each accomplishment level, denoted ^(a^) , 
were determined by inspection. They are shown in Table 13, where 
represents "any possible value". 

The function (level 1) model was based on characteristics of the 
multi-processor system and the specified criteria for aborting, diverting, late 
arrival, and safe flight. The criteria involved the number of fault-free 
processor triads and fault-free spare processors available during specific 
phases of the flight. A communication channel (i.e. , an appropriate combina- 
tion of sensor remote terminals , but interface units , and actuator remote 
terminals as specified in the problem statement) is required for safe flight. 

In addition, the existence of Category II weather was included since it impacts 
the need to divert. The function level variables were defined as follows: 


= number of failed triads at the end of phase j 



number of spare processors at the end of phase ' j 

fo if a communication channel exists at the end of phase j 
I 1 otherwise 


F 


4 


! 0 if the weather at the original destination is not 
Category II 
1 otherwise 


The weather variable, F^, is not phase dependent since weather information 
becomes known in phase 3 and does not subsequently change. In the matrices 
describing level 1 trajectories, the value of F^ was indicated in Column 3. 



TABLE 13. LEVEL 0 TRAJECTORY SETS FOR THE 
ACCOMPLISHMENT LEVELS 


Level 0 
Variables 

^0 

Accomplishment Levels 
^1 ^2 ^3 


^1 

0 

0 

0 

1 

■k 

^2 

0 

0 

1 

* 

A 

^3 

0 

1 

* 

* 

* 

^4 

0 

0 

0 

0 

1 




56 


The other columns were filled with asterisks to indicate the lack of restric- 
tions. The variables and are closely related since the ten processors 
are dynamically reconfigured to form as many fault-free triads as possible. 
Five phases were defined in the problem statement. The level 1 trajectory 
space was the following set of matrices: 




ij 


The next step was to determine the subsets of U which corresponded 
to each accomplishment level. This was done by finding the matrices in 
corresponding to the level 0 trajectories for each accomplishment level. The 
following procedure was used. First, each (level 0 variable) was considered 
individually. The level 1 matrices which result in a given value for each M 


For example, consider = 0, which indicates "no abort". 


were determined. 

The flight is aborted if and only if one triad and no spares are available 

prior to the end of phase 2. The status of the communication channels and the 

weather have no bearing on the abort criteria. Table 14 shows the level 1 

trajectories corresponding to = 0. Asterisks, which represent "any possible 

value", and entries such as "0 or 1" were used to reduce the number of matrices. 

Next, the level of trajectories were considered for each accomplishment level. 

For a given level 0 trajectory, the level 1 matrices for each value were 

known. The corresponding level 1 matrices were constructed by forming all 

possible intersections using one matrix for each of the four values. These 

sets of matrices were the level 1 inverses of the accomplishment levels and 

- 1 , 


were denoted y. 


(ai). 


The base (level 2) model was defined in terms of the system compo- 
nents, 

are failed by the end of phase j 


One variable, , was used to denote the number of processors which 


Nj had integer values from zero to ten. A 

second variable, C., was set to zero if a communication channel exists at the 
J 

end of phase j, and to one otherwise. Figure 16 displays the state diagram 
for the base model. Nine states of interest are identified. For convenience, 
the state numbers shown in the diagram were used to represent the state of the 
system. A base model trajectory was then represented as a vector of five state 
numbers, one for the end of each phase. 



57 


TABLE 14. LEVEL 1 TRAJECTORIES CORRESPONDING TO 
= 0 ("no abort") 


0 or 1 0 or 1 


0 or 1 


1 or 2 


1 or 2 1 or 2 



58 













59 


Base model trajectories for each level 1 trajectory were constructed 
directly from the j^^jj matrices. The first two rows of the matrices (number 
of failed triads and number of spare processors) correspond to the base model 
variable . The third row of the matrix is equivalent to . The fourth row 
only contained one variable (Category II weather) , which was used in the proba- 
bility computations. Grouping the base model trajectories corresponding to the 

level 1 trajectories for a given a. (i.e., Y-. (a.)) resulted in the set of 

^ ^ -1 

base model trajectories for the outcome a., denoted y (a.). The method of 

-1 ^ ^ 

construction caused the y trajectory sets to be Cartesian. They are 

summarized in Table 15. 

The probability computations were performed using the basic proba- 
bility equation shown in the synopsis of performability analysis. Table 16 
displays the numerical results. 

Solution Effort 


A total of 59 man-hours were expended in the performability analysis 
solution of the multi-processor problem. The breakdown of man-hours by 
solution steps is: 

Problem understanding, modeling development 18 

Trajectory set computations 20 

Probability computation ^ 

TOTAL 59 

An additional 19 man-hours were expended on detailed computation checks to 
resolve differences with the fault-tree results. No significant errors were 
identified. 

Discussion 


Solution of the multi-processor problem using performability analysis 
required little ingenuity and substantial perseverance. It was, of course, 
necessary to have a good understanding of the multi-processor system and its 
mission requirements. 



60 


TABLE 15. BASE MODEL TRAJECTORY SETS FOR 
EACH ACCOMPLISHMENT LEVEL 

Set Symbol Set Trajectories 

Y~^(aQ) a, 2} X a, 2} X a, 2} X a, 2} X {1, 5} 

a, 2} X a, 2} X a, 2} x a, 2} x {6, 7 , 8> ■ 


Y ^(^2^ 

Y~^(a3) 

Y’^(a^) 


a, 

• • « 9 

5} 

X 

a. 

. . . 

, 5} 

X 

a. 

• • 

8} 

X 

{3, 

• . 

• 

00 

X 

{3, 

• • 

• > 

a, 

• • « 9 

5} 

X 

a. 

. . . 

, 5} 

X 

a. 

• • 

5} 

X 

{3, 

4, 

5} 

X 

{3, 

4, 

5} 

a, 

• • • 9 

7} 

X 

{6, 

7} 


X 

{6, 

7, 

8} 

X 

{6, 

7, 

8} 

X 

{6, 

7, 

8} 

a, 

• • « 9 

5} 

X 

a. 

... 

, 5} 

X 

a. 


5} 

X 

a. 


. , 8} 

X 

{6, 

7, 

8} 

a, 

• • • 9 

5} 

X 

a, 

. . . 

, 5} 

X 

{6, 

7, 

8} 

X 

{6, 

7, 

8} 

X 

{6, 

7, 

8} 

a, 

• « « 9 

5} 

X 

te. 

7} 


X 

{6. 

7. 

8} 

X 

{6, 

7, 

8} 

X 

te. 

7, 

8} 

{8} 



X 

s 

X 

S X 

S 

X 

{8} 









a, 

• • • 9 

7} 

X 

{8} 

X 

S X 

{8} 

X 

{8} 









{9} 



X 

Q- 



X 

Q 



X 

Q 



X 

Q 



a, 

• • « 9 

\ 

8} 

X 

{9} 



X 

Q 



X 

Q 



X 

Q 



a, 

• • • 9 

8} 

X 

a, 

• • • 

, 8} 

X 

{9} 



X 

Q 



X 

Q 



a. 

• • • 9 

8} 

X 

a, 

• • « 

, 8} 

X 

a. 

. . 

8} 

X 

{9} 



X 

Q 



a. 

• • • 9 

8} 

X 

a. 

• « « 

, 8} 

X 

tt. 

, * 

8} 

X 

{1, 

, , 

. , 8} 

X 

{9} 





where S indicates skipped phase 

Q = a. 2, 3, 4, 5, 6, 7, 8, 9} 


61 


TABLE 16. PROBABILITY (Pr) AND EXPECTED VALUE (E) 
RESULTS FOR PERFORMABILITY ANALYSIS 
OF THE MULTI-PROCESSOR PROBLEM 


P (ao)= 
P (a^)= 

P (a2>= 


Pr (successful, on-time, original destination) =. 0.993948817 

Pr (successful, late, original destination) = 0.006007701 
E (economic penalty for late arrival) = $53.3502 

-9 

Pr (diversion, safe landing) = 3.5x10 
E (economic penalty for diversion) = $.0007 


P (.a^)= Pr (aborting, safe landing at origin) = 0 
E (economic penalty for aborting) = 0 

-9 

Pr (aircraft lost, phase 1) = 70.0x10 

-9 

Pr (aircraft lost, phase 2) = 869.0x10 
Pr (aircraft lost, phase 3) = 28.8080x10 

Pr (aircraft lost, phase 4) = 10.3387x10 

Pr (aircraft lost, phase 5) = 3.3978x10 

P (a^)= Pr (aircraft lost) = 3.4835x10 ^ 

E (economic penalty) = $53.3509 





62 


The models used in the model hierarchy were not difficult to define. 
The mission (level 0) and base (level 2) models were defined directly from the 
problem statement. Some latitude existed in selection of the function (level 1) 
model. In addition to the selected function model, options included using no 
function model, using only one phase (i.e., the entire mission), and treating 
the communication channels separately from the processors. The last option 
was based on the observation that the system could achieve any accomplishment 
level as long as a communication channel exists, while lack of a communication 
channel would result in loss of the aircraft. Separate treatment of the 
communication channels would have required less time but was not done in order 
to more accurately represent perf ormability analysis . 

Construction of the trajectory inverses from the mission model to 
the function model and then to the base model was conceptually straightforward 
but mechanically tedious. A simple procedure for naming the matrices 
(Reference 6) was useful for bookkeeping purposes. The time spent on the 
trajectories was divided about equally between computing the trajectories and 
checking the computations. At each model level, all mathematically possible 
trajectories were represented. A counting argument was used to check that the 
correct number of trajectories had been listed. Additional checks were made 
to ensure that no trajectories had been omitted or listed twice. These checks 
resulted in a high level of confidence that the base model accurately repre- 
sented the problem. 

The probability computations were conceptually easy, mechanical, and 
somewhat time consuming. Individual state transition probabilities were 
computed using the component failure rates and phase durations. The matrix 
multiplications consumed most of the time spent on probability computations. 

They could have been done in less time with METAPHOR (Reference 7) , a computer 
program written for performability analysis computations. Also, METAPHOR 
would have significantly reduced the time spent checking the computations . 



63 


Fault Tree Method Solution 


Analytic Summary 

There are a number of different results required in this problem. 
Generally a different fault tree is required for each of the desired answers. 
There is some overlap in the computations required, but a distinct fault tree 
is necessary in each case. 

Safe, On-Time Landing . The approach here will be to compute the 
complement of the desired probability (i.e., the probability of failure to 
arrive safely and on time. The fault tree with this as the top event is shown 
in Figure 17. The probabilities of the top event and the probabilities of the 
various contributing events are shown. 

The probabilities of the individual events can 
First, the probability of loss of flight management will 
will be caused by a loss of two or more processors prior 
The probability of this is 

10 b 

= l-(l-p) -lOp(l-p)'' 

where p is the probability of loss of a single processor 
minutes. The probability p is given by 

P = 1-exp 0.0119283 (Eq. 2) 

Substituting this value in Equation 1 gives = 0.0060078497. 

Next, it is necessary to establish P^, the probability of loss of 
control during phase 5, given that flight management was intact at the end of 
phase 4. If, at the end of phase 4, 10 processors are operating, loss of 
control would require loss of five or more processors in three minutes. The 
probability of exactly five failures is 36p^(l-p)^, where p is the probability 

of loss of a single processor in three minutes. This is of the order of 

-4 -17 

5 X 10 , which gives a probability of loss of the order of 10 , which is 

trivial compared to P^^. 

It remains to determine P^, the probability of loss of bus communi- 
cation. This event is the top event of another fault tree, shown in Figure 18. 


be computed as follows, 
be considered. This 
to the end of phase 4. 

(Eq. 1) 

in a period of 72 



Failure to complete 
safe, on-time landing 



FIGURE 17. FAULT TREE FOR COMPLEMENT OF 
SAFE, ON-TIME LANDING 


' I I - J .. ] ._) i 



1 


J 


I 


i 







1 


I 


1 


1 


) - -j ^ ) 


-n '-'I *:■:! 


■' ":i ■") ■' :i 



P“^ - [- erhooj - 2.49688X10 


FIGURE 18. FAULT TREE FOR LOSS OF BUS COMMUNICATION 











66 


The first three contributing events can be treated in straightforward fashion. 
The loss of communication is somewhat more complex. Loss of Sensor to BIU 
communication can come about in two ways. Using Y to indicate fault-free 
operation and N to indicate failure, the two ways are depicted as follows: 

Sensor A Sensor B BIU A BIU B 

Y N NY 

NY Y N 

The probabilities of these combinations of events can be computed from the 
fundamental failure probabilities. 

Similarly, the loss of BIU to actuator communication can come about 
in two ways. 

BIU A BIU B Actuator B Actuator B 

Y N N Y 

NY Y N 

The total probability of loss of bus communication can then be determined by 
combining the failure probabilities of the individual contributing events. 

Loss of Aircraft . This can come about in two ways which are indi- 
cated in the fault tree of Figure 19. The probability of loss of BIU 
communication in phases 1 through 5 has already been computed. The probability 

g 

of loss of eight processors is given by p , where p is the probability of loss 
of a single processor in 75 minutes, 

8 “16 

p is then of the order of 10 , which is trivial compared to the probability 

of loss of communication. 

Successful, Late Landing at Original Destination . The fault trees 
for this case are shown in Figures 20 and 21. The situation is different 
depending on whether Cat II is required or not, so a separate fault tree 
must be prepared for each case. 



























































70 


The total probability of a safe late landing is: 
0.95 X 6.007660623x10“^ + 0.05 x 6.007647772x10“ 
= 6.007659981x10“^ ♦ 


Safe Diversion . To have diversion, it must happen that during phases 
3, 4, or 5, Cat II capability is needed and not available. If Cat II capability 
is loss before 75 minutes, diversion will take place. This will happen if 5, 

6, or 7 processors are lost and BIU communication is not lost and Cat II is 
required. The fault tree for this case is shown in Figure 22. 

Abort . For this to occur in phase 1 it would be necessary to lose 

seven processors in three minutes. The probability of this is of the order 
-23 

10 . The probability of aborting by the end of phase 2 is of the order 

-19 

10 . Accordingly, the abort probability is taken as zero. 


Collection of Results . In addition to the above computations , it 
was necessary to repeat some of the analyses on a phase-by-phase basis. These 
are done by repetition of the types of analysis given above. The results for 
this problem are summarized below. 


Pr (successful, on-time landing, orig. destination) 
Pr (successful late landing, orig. destination) 

E (economic penalty for late arrival) 

Pr (diversion, safe landing) 

E (economic penalty for diversion) 

Pr (aborting, safe landing at origin) 

E (economic penalty for aborting) 

Pr (aircraft lost, phase 1) 

Pr (aircraft lost, phase 2) 

Pr (aircraft lost, phase 3) 

Pr (aircraft lost, phase 4) 

Pr (aircraft lost, phase 5) 

Pr (aircraft lost) 

E (economic penalty) 


0.993948634 

0.006007659 

$53.3525 

14.04x10“^ 

$0.002808 

0 

0 

69.993x10“^ 

870.38x10“^ 

28.8957x10"' 

10.3873x10"' 

3.2921x10"^ 

43.5155x10"' 

$53.3553 



I 


) ■; 1 


1 ' -i ' ~:i ''1 ': i 




~l '1 1 



FIGURE 22. FAULT TREE FOR SAFE DIVERSION 









72 


Solution Effort 


The time required for solution of this problem by the fault-tree 
technique was 22 man-hours. This included set-up, drawing of the fault trees, 
and all computations . 


CROSS-TRAINING PROBLEM ANALYSIS 


Summary of Results 

Performability analysis and fault trees were applied to the cross- 
training problem, which was a simplified version of the multi-processor problem. 
The analyst who had been responsible for performability analysis applied fault 
trees to this problem. Performability analysis was applied by the analyst who 
had been responsible for fault trees. 

Training requirements were quite different for the two techniques. 

Only one trainee man-hour was required for the fault-tree method. Twenty-eight 
trainee man-hours were expended learning performability analysis. In addition, 
approximately four hours of assistance from the performability analyst were 
used to clarify the written descriptions of the technique. 

Fourteen man-hours were spent on the complete fault-tree solution. 
Performability analysis required 26 man-hours to establish the model hierarchy 
and compute the probability for one mission outcome. The complete computations 
are estimated to require 60 to 80 man-hours . 

Performability Analysis Solution 


Learning the Technique 

In order to learn the method, two principal avenues were used. One 
was study of several papers and reports written by Meyer and his students, and 
the other was discussion with Michael Bridgman who did the major work on 
Meyer's method in the present study. It was found that the availability of 
Mr. Bridgman was a very great benefit in developing an understanding of the 
method. It would have taken several times longer without this resource. 



73 


The available papers are not designed for tutorial purposes, and they 
contain many points which are difficult to understand at first reading. If the 
technique is to become widely used, it may be necessary to develop materials 
which are (1) more comprehensible and (2) contain better motivation for the 
reader in terms of explaining the advantages of Meyer's method over other 
methods . 


Analytical Summary 


Problem Structure . There is more than one way to fit the problem 
into Meyer's format. The one selected here seems to be logical, but there are 
certainly others which could be defended. Three levels were defined: (1) the 

accomplishment set, (2) the "aircraft level", and (3) the base process. The 
accomplishment set is defined as follows; 

a^ = successful, on-time landing at original destination 

a^ = successful but late landing at original destination 

a^ = safe diversion 

a^ = safe abort 

a, = loss of aircraft 

4 


The overall objective is to detemine the probabilities of these various 
outcomes . 

The aircraft level is concerned with the capability of the avionics 
system during each phase of the flight. A trajectory at the aircraft level 
is defined by a vector. 


where 



“’2 “Is '>4 ’s 


’i 


3 if there is full capability at the end of phase i 

2 if only augmentation and control are operating at the 
< end of phase i 

1 if only augmentation is operable at the end of phase i 
. 0 if all capability is lost at the end of phase i 



74 


1 if Cat II capability is required 
0 if Cat II capability is not required 

The base level trajectory is defined by the vector 
[x^ X2 x^ x^ X^ Xg] 

where x^, i=l, 2, 3, 4, 5, is the number of LRU's operating at the end of 
phase i and x^ is as defined above. 

The three levels, and the mapping between them, can be portrayed as 

follows : 

Accomplishment 
Aircraft Level 
Base Model 


3 "1 



Mapping From Aircraft Level to Accomplishment Set . Rather than 
define the complete mapping K^, it was decided to consider only the accom- 
plishment level a^. In this problem, the aircraft level trajectories which 
produce a^ can be enumerated. They are: 


V^: (3 3 3 3 


3 *) 


V^: (333 


3 2 *) 


V^: (3 3 3 


3 10 


( 1 ) 


where, following Meyer's notation, the symbol * is used to denote a case in 
which the component can take on any value on its range. 


Mapping From Base Model to Aircraft Level . It remains to establish 
the mapping from the base model to these aircraft level trajectories. From 
the definition of the problem, it can be seen that the first of the trajec- 
tories (1) is produced by the Cartesian trajectory set: 

= {9,10}x{9,10}x{9,10}x{9,10}x{9,10}x{*> (2) 

Computation of Probability . To evaluate the probability of a trajec- 
tory set of this type, the following result of Wu and Meyer (Reference 9, 
Theorem 1) may be used: 



75 


Pr(V) = 1(0) 


5 

”5^ Vkl 

|k=l ^ 


(3) 


where 1(0) is a row vector of the probabilities of being in the various states 
X = 0, 1, 2, 10 at the start of the problem, F is a column vector all of 

whose elements are unity. is a state transition matrix whose elements are 

P^(ijj) = probability of being in state j at the end of phase k, given that 
system was in state i at the beginning of phase k. is a matrix defined by 

1 if i = i and ieR, 

0 otherwise 


where is the set of allowed states in V during the k^j^ phase. 

Evaluation of Equation 3 is rather complex. It involves multipli- 
cation of ten matrices. In this case, the problem is somewhat simplified by 
that fact that most of the components are zero, and the matrices to be 
multiplied are actually only 2x2. This is still a substantial computation 
task, however. For each phase, the product is of the form 


p(0,0) . 

P(1,0) 

. . p(0,10) 



1 

1 

1 



! 

1 

• 

• 



0 

1 0 
1 

= 

0 

1 

1 0 
i 

• 

p(10,0). 

. . p(10,10) 


0 

1 

" ilo" 
1 ° ^ 


0 

1 

' P(9,9) p(9,10) 

I p(10,9) p(10,9) 


Since P (9,10) = 0 for all k, it is necessary only to compute the three 

lx 

remaining probabilities. 

Pj^(9,9) = (1-Uj^)^ 

P^(10,9) = lOU^(l-U^)^ 

P^(10,10) = (1-U^)^° 


where U is the probability of failure of a single LRU during phase k. 

lx 



76 


Ul " 60x100^ 

U2 "" 60x100^ 

U3 “ 60x100^ 

U^ = l-exp{gg^^QQ} 


4.9987510x10 

1.3324449x10 

8.4639771x10 

1.6652786x10 


( 6 ) 


U. = U. 


Substituting the values of (6) into the transition probabilities of (5) , and 
substituting those results into the matrices indicated in (4) , and multiplying 
the five resulting matrices in the proper order gives 


P (V ) = 
r V 


1] 

0.89359715 

0 

fll 

i = 0.99350111 

(7) 


0.11100440 

0.88249671 

LiJ 



The second vector in (1) implies the Cartesian set 
= {10,9}x{10,9}x{10,9}x{10,9}x{8,7,6}x{*} 

while the third vector in (1) implies 

= {10,9}x{l0,9}x{l0,9}x{l0,9}x{3,4,5)x{0} 


( 8 ) 


(9) 


All these trajectory sets are identical through the first four phases. Making 
the necessary changes in the fifth phase, the resulting probabilities are: 


P [V„] = 4.906859x10 
r 2 

Pj.[V3] = 0(10"^^) 


( 10 ) 


The probability of a^ is, then, the sum of the three probabilities. 
P [a ] = 0.99399179 

r '■ O'* 


( 11 ) 



77 


Solution Effort 


A total of 28 man-hours were expended learning the method to the 
degree needed to solve the sample problem. An additional 26 hours were 
required to compute the results given above. The majority of this computation 
time was used in multiplying the matrices. 

It should be kept in mind that only the accomplishment level a^ was 
considered. A complete solution of the problem would have required evaluation 
of the other four accomplishment levels. Each would require a time approxi- 
mately the same as that expended here. All computations were done by hand 
using a desk calculator. 

Obviously, computer assistance would greatly reduce the time required 
and the total resources required for a solution. For this problem, however, 
it seems clear that Meyer's method requires a computation time perhaps an order 
of magnitude greater than that for the corresponding fault-tree solution. 

Fault Tree Solution of Cross-Training Problem 


Analytic Summary 

Five mission outcomes were specified by the problem statement. One 
fault tree was constructed for each outcome. The fundamental events for a 
given tree specified the number of processors which were failed at the ends 
of particular phases and the presence or absence of Category II weather. In 
some cases involving "AND" logic gates, one event was conditioned upon 
occurrence of another event. The probability equations were written directly 
using the fundamental events for each tree. The numerical results are shown 
in Table 17. 

Solution Effort 


Constructing the fault trees and computing the probabilities required 
ten man-hours. Since the sum of the probabilities of all outcomes did not 
equal 1.0, an error was indicated. Two man-hours were expended finding the 
error (which was a multiplication error). Two more man-hours were spent 



78 


TABLE 17. PROBABILITY RESULTS OF FAULT TREE ANALYSIS 
OF CROSS-TRAINING PROBLEM 



Mission Outcome 

Probability 

-• 

Safe , 

on-time, original destination 

0.993992 

— 

Safe, 

late, original destination 

0.006008 

— 

Safe, 

diversion 

-9 

4x10 


Safe, 

aborted (land at origin) 

0 




-14 


Loss 

of aircraft 

2x10 






79 


checking other computations. The total time expended on the problem was 14 
man-hours . 

Discussion 


The fault trees for the cross-training problem were directly con- 
structed from the problem statement. No significant difficulties were 
encountered. Some assistance was gained from having solved the multi- 
processor problem, which was simplified to create the cross-training problem. 

Conditional combinations of fundamental events were used to express 
outcomes sensitive to the phase in which a certain level of degradation is 
realized. Care was required to ensure that all combinations resulting in each 
outcome Vere included. In addition, care was required in writing the correct 
probability expressions for the fundamental events. 



80 


CONCLUSIONS AJID RECOMMENDATIONS 


The objective of this study was to assess performability analysis 
in terms of its capabilities, practical usefulness, and costs of application. 
The assessment method was to solve sample problems using performability 
analysis and fault trees and then compare results. One analyst was assigned 
to each technique. The assignment was reversed for the last sample problem. 
The analysts had neither learned nor applied either technique prior to this 
study. An automated technique, TASRA, was used in two problems for further 
comparison. 

Preceding sections of this report synopsized the techniques, 
presented the sample problems, and summarized the results of analyzing each 
problem with the various techniques. This section discusses the conclusions 
and recommendations derived during this investigation. 


LEARNING REQUIREMENTS 


Much more time and effort is required to learn performability 
analysis than to learn the fault tree approach. "Learn" is assumed to include 
"understand the underlying theory". Although formal material could be helpful 
for learning fault trees, it is not required. The basic fault tree approach 
is conceptually simple and can be learned in a matter of hours. Performability 
analysis could require a man-week or more to attain the same level of under- 
standing using currently available material. The concept of functional 
dependencies, the model hierarchy, and the computational methods all contribute 
significantly to the requirements. Tutorial material, which does not currently 
exist for performability analysis, could reduce the learning time. Even with 
such material, performability analysis will still require more time and effort 
to learn. 

The analysts assigned to performability analysis and fault trees had 
solid mathematical backgrounds. They both found that performability analysis 
required much more mathematical background than fault trees. The nature of the 
relationship between level of mathematical background and the time and effort 
required to learn each technique is diagrammed in Figure 23. The vertical 



81 


I 


Learning 
Time and 
Effort 



Mathematical Background 

FIGURE 23. CONCEPTUAL REI.ATIONSHIP BETWEEN 
LEARNING REQUIREMENTS AND 
MATHEMATICAL BACKGROUND 



82 


asymptote for performability analysis indicates that minimum background 
requirements for understanding the technique are much greater than fault trees. 
Concepts related to the asymptote are composition of functions, inverse 
functions, projection mappings, set manipulations, and matrix multiplication. 


APPLICATION EFFORT 


For the sample problems used in this investigation, performability 
analysis required significantly more solution effort than the fault tree 
approach. For the dual-dual problem, TASRA required less effort than fault 
trees or performability analysis, but TASRA was not exercised to the same level 
of conceptual accuracy. Table 18 summarizes the man-hours expended for the 
different problems. The figures shown include time to become familiar with 
the problem as well as modeling and computation times. 

The dual-dual problem was found to have characteristics beyond the 
designed capabilities of TASRA. In particular, TASRA was not structured to 
handle multiple-phase missions involving dependencies among functions or 
components. Some hand manipulations were necessary to approximate the logical 
connections between phases. Since no significant information was gained by 
applying TASRA to the dual-dual problem, it was not applied to the other two 
problems. TASRA is not discussed any further in this report. 

The time differences between performability analysis and the fault 
tree approach are believed to represent differences between the two techniques 
and not differences in analyst capability. The sample problems did not involve 
details of flight control or computing systems which could give one analyst an 
advantage regardless of solution technique. In addition, the cross-training 
problem solutions exhibited solution time differences similar to those of the 
dual-dual and multi-processor problems. 

Performability analysis utilizes a hierarchy of models to connect 
the mission outcomes of interest (i.e., the accomplishment levels) to sets of 
possible component behaviors. The model hierarchies were not uniquely defined 
by the problem statements. The time required to define and select a hierarchy 


* 


The series-parallel problem is excluded from this discussion because its 
extreme simplicity provides a poor basis for comparing techniques. 



83 


TABLE 18. SOLUTION MAN-HOURS SUMMARY 



Man-Hours 

■k 

for Solution 



Performability 

Fault Trees 

TASRA 

Dual-Dual 

46 

30 

25 

Multi-Processor 

59 

22 

— 

Cross-Training 

** 

26 

14 

— 


* Includes model construction and computations. Does not include detailed 
computational checks . 

** Represents partial problem solution as described in the text. 


84 


was approximately twenty percent of the total solution time for the dual-dual 
and multi-processor problems. 

The process of determining the set of base model trajectories associ- 
ated with each mission outcome consumed about one third of the total solution 
time. Every mathematically possible trajectory is expressed at each step in 
the model hierarchy, even if it has a zero probability of occurrence or is not 
physically possible. This is inefficient in terms of time requirements. 
However, as noted under the heading "Solution Accuracy", this allows for a 
logical correctness test which can increase confidence in the accuracy of the 
solution. 

Probability computations accounted for 40 to 50 percent of the 
solution time for performability analysis. A state transition matrix was 
required for each mission phase. All possible transition probabilities had to 
be computed. Matrix multiplications were then performed for each mission 
outcome. Many quantities were zero or negligible (less than 10~^^) , but time 
was still spent on them. A significant amount of time was spent checking the 
computations for numerical accuracy. 

The fault-tree approach focused only on events of interest. Each 
mission outcome required a separate fault tree. Physically impossible events 
or combinations of events were not included in either the trees or the 
associated probability computations. 

Expressing dependencies among functions or components, for one or 
several phases, in terms of fault trees, required some ingenuity and the use 
of conditional probabilities and combinations of events. Performability 
analysis has a structure oriented towards capturing dependencies. Dependencies 
are expressed at the model level (e.g., mission, function, component) at which 
they occur. The procedure for determining the base model trajectories associ- 
ated with each mission outcome maintains all dependencies expressed at 
intermediate model levels . 

The sample problems involved a small number of functional depen- 
dencies. Examples include the related and interdependent requirements for the 
digital air data, AHRS, and INS in the dual-dual problem and the conditions 
for diversion in the multi-processor problem. The presence of few dependencies 
is viewed as an advantage for fault trees. 



85 


A few dependencies, multiple phases, and several mission outcomes 
characterized the sample problems. For each outcome, the fault-tree approach 
only considered combinations of events resulting in that outcome. Performa- 
bility analysis, on the other hand, considered all possible combinations of 
events . 


SOLUTION ACCURACY 


Performability analysis was found to have no inherent characteristics 
which make it more or less numerically accurate than other techniques . How- 
ever, for very complex problems, performability analysis may result in a higher 
level of confidence that no mistakes have been made. Many of the set manipu- 
lations for determining base model trajectories are mechanical in nature and 
can be readily checked. At each level in the model hierarchy, counting 
procedures can be used to ensure the correct number of trajectories have been 
expressed. The actual probability computations involve matrix/ multiplications 
which are tedious but can be checked. Also, the matrix computations have been 
automated (Reference 4). Fault-tree analysis, on the other hand, can involve 
conditional probabilities and clever modeling, both of which are more difficult 
to verify. 


SUMMARY OF CONCLUSIONS 


Conclusions based on this investigation can be summarized as follows: 

o It is possible to learn and apply performability analysis 
using existing descriptive material. 

o Performability analysis requires much more effort to learn 
and understand than fault trees. 

o For the sample problems, performability analysis required 
more effort than fault trees. 



86 


RECOMMENDATIONS 


Implications of Complex Problems 

As noted above, performability analysis required more solution effort 
than the fault-tree method for the sample problems. The dual-dual and multi- 
processor problems were only moderately complex. More complex problems can 
easily be envisioned. This recommendation is concerned with the effects of 
applying the two techniques to more complex problems. 

Figure 24 diagrams the hypothesized conceptual relationship between 
problem complexity and solution effort for fault trees and performability 
analysis. Complexity can be described in terms of the numbers of outcomes of 
interest, dependencies, and mission phases, and of the fault types to be 
considered. Solid lines are used in the region of the graph represented by 
the sample problems. Dashed lines represent hypothesized behavior of the 
techniques . 

The hypothesized behavior is based on the following factors: 

o Familiarity with performability analysis 

o Study of application of performability analysis to the 
SIFT computer (Reference 3) 

o Extrapolations based on the sample problems. 

Several technique characteristics which support the hypotheses are described 
in the following paragraphs . 

Consider the fault-tree approach. Each mission outcome requires a 
separate fault tree. Increasing the number of phases tends to increase the 
number of fundamental events which must be considered. Increasing dependencies 
could cause the solution requirements to increase dramatically in terms of time 
and ingenuity because of logical interconnections among dependencies and a 
large number of possible event combinations. 

Performability analysis requirements appear to be less sensitive to 
increases in outcomes, phases, and dependencies. All base model trajectories 
are included regardless of the number of dependencies. More outcomes simply 
require the trajectories to be divided into more sets. More matrix multipli- 
cations are also required. Additional phases tend to increase the number of 
mechanical steps but do not require a great deal in terms of analyst ingenuity. 



Solution 

Effort 



Problem 


FIGURE 24, 


Fault Trees 



High 


Complexity 

ZED CONCEPTUAL RELATIONSHIPS BETV7EEN 
Y AND SOLUTION EFFORT 



88 


Only permanent faults were treated in the sample problems. Transient 
faults are quite difficult to handle with fault trees. The only known approach 
is to treat components subject to transient faults with availability equations, 
which tend to become complex. A component subject to transient and permanent 
faults may need to be treated as two components. This could cause fault trees 
to become very cumbersome. Performability analysis uses a state approach, 
which lends itself more readily to modeling transient faults (this issue is 
addressed in more detail below) . 

It is recommended that a highly complex problem be investigated using 
performability analysis and fault trees to determine if the relationship 
depicted in Figure 24 is conceptually accurate. One approach would be to 
analyze the SIFT computer problem (Reference 3) and then compare results and 
effort with the performability solution. A second approach would be to define 
a new problem such as a next-generation transport aircraft (post-Boeing 767) 
with computers based on the FTMP architecture (Reference 15) , and apply both 
techniques to the problem. 

Ability to Model Transient Faults 

Faults may be classified as either permanent or transient. The 
sample problems only considered permanent faults. The ability of performa- 
bility analysis to model transient faults was not addressed by the sample 
problem solutions. However, study of the technique indicated that it could 
handle transient faults through appropriate definition of the base model. 

This claim could be verified by defining a problem involving transient faults 
and then proceeding with performability analysis until solution feasibility 
is clearly established. 


Software Errors 


It is recommended that no attempt to include software error models 
in fault trees or performability analysis be made at this time. No validated 
fundamental model of software errors is known to exist. Consequently, it it 
not feasible to determine if one technique is preferable in terms of modeling 
software errors. 



89 


Tutorial Material for Performability Analysis 

The material used for learning performability analysis consisted of 
status reports by Meyer (References 1, 2, and 3) and technical papers 
(References 5-9) . The status reports focus on technical developments achieved 
during the reporting period. The technical papers focus on particular aspects 
of the technique. None of this material was written for tutorial purposes. 

As a result, the effort to learn performability analysis was much greater than 
necessary, Tutorial material to explain the theory and application of the 
technique should be developed. 

Performability Analysis Tools 

A large proportion of the effort in applying performability analysis 
is mechanical in nature. Automated tools could potentially reduce the time 
and effort required to derive solutions. An interactive computer program for 
the probability computations exists (Reference 4). It should be validated. 

Two potential areas for tools are model building and formulation of 
the capability function (including computation of the base model trajectory 
sets corresponding to the mission outcomes). A tool for the first area would 
probably be an interactive aid. The second area might be amenable to complete 
automation. It is recommended that these possibilities be investigated. 


OBSERVATIONS 


This section presents several observations on the evaluation of 
fault-tolerant computing systems. They are neither conclusions nor recommen- 
dations, but they reflect important practical considerations which came to 
light during the study. 


Credibility of Solution 

Reliability of a fault-tolerant computing system is a complicated 
and sensitive exercise. Such systems have complex structures and logic paths. 
The desired system failure probability is typically so small that the numerical 



90 


techniques used in the analysis may cause significant errors. Currently avail- 
able reliability models have limitations in these areas of adaptability to 
system configurations and numerical accuracy. More capable models are also 
more difficult to exercise. Again, since the numbers of interest are so small, 
a slight computational or procedural anomaly could cause significant error. 

It may therefore be difficult to produce a solution which is uniformly accepted 
as credible. 

One approach to enhancing solution credibility would be to apply 
more than one technique to the system reliability problem. They could be 
applied by the same or different personnel. The goal would be to obtain 
concurrence on the result . 


Data Support of Models 

Accurate reliability estimation of ultra-reliable systems requires 
two key ingredients: a model with sufficient fidelity and data to support 

that model. The models applied in this study do not precisely capture all 
system characteristics (e.g., recovery strategies, timing difficulties), but 
it appears they can provide much more modeling precision than can be supported 
by currently available data. This is desirable since it is sometimes easier to 
generate engineering estimates of data for the components of an element rather 
than the entire element. In addition, the existence of advanced models helps 
justify collection of detailed data. However, with respect to the near-term, 
it may be more worthwhile to promote data collection than to increase the 
modeling precision of current reliability techniques. 



91 


REFERENCES 


(1) Meyer, John F. , "Models and Techniques for Evaluating the Effectiveness of 
Aircraft Computing Systems", NASA Grant NSG 1306, Status Report No. 2, 

July 1977, NASA CR-145270. 

(2) Meyer, John F., "Models and Techniques for Evaluating the Effectiveness of 
Aircraft Computing Systems", NASA Grant NSG 1306, Status Report No. 3, 
January 1978, NASA CR-158992. 

(3) Meyer, John F. , "Models and Techniques for Evaluating the Effectiveness of 
Aircraft Computing Systems", NASA Grant NSG 1306, Status Report No. 4, 

July 1978, NASA CR-158993. 

(4) Furchtgott, D. G. , "METAPHOR (Version 1) Programmer's Guide", NASA Grant 
NSG 1306, January 1979. 

(5) Ballance, R. A., and Meyer, J. F., "Functional Dependence and Its Applica- 
tion to System Evaluation", Proceedings of the 1978 Johns Hopkins Conference 
on Information Sciences and Systems, Baltimore, MD, March 1978, pp 280-285. 

(6) Meyer, J. F., Furchtgott, D. G. , and Wu, L. T. , "Performability Evaluation 
of the SIFT Computer" , Proc. 1979 Int'l Symposium on Fault-Tolerant 
Computing , Madison, WI, pp 43-50, June 1979. 

(7) Meyer, J. F., "On Evaluating the Performability of Degradable Computing 
Systems", Proceedings 1978 International Symposium on Fault-Tolerant 
Computing, Toulouse, France, June 1978, pp 44-49. 

(8) Furchtgott, D. G. , and Meyer, J. F. , "Performability Evaluation of Fault- 
Tolerant Multiprocessors", GOMAC 1978 Digest of Papers, pp 362-365. 

(9) Wu, L. T. , and Meyer, J. F., "Phase Models for Evaluating the Performability 
of Computing Systems", Proceedings 1979 Johns Hopkins Conference on Infor- 
mation Sciences and Systems, Baltimore, MD, March 1979, pp 426-431. 

(10) Hagen, E. W. , "International Conference on Nuclear Systems Reliability 
Engineering and Risk Assessment", Nuclear Safety , Vol. 19, No. 1, January- 
February 1978, pp 38-42. 

(11) NRC Risk Assessment Review Group, "Report of the NRC Risk Assessment Review 
Group on the Reactor Safety Study", Nuclear Safety , Vol. 20, No. 1, 
January-February 1979, pp 24-26. 

(12) Fussell, J. B. , Powers, G. J., and Bennetts, R. G. , "Fault Trees - A State 
of the Art Discussion", IEEE Transactions on Reliability , Vol. R-23, 

April 1974, pp 51-55. 

(13) Chamow, Martin F. , "Directed Graph Techniques for Fault Tree Analysis", 

IEEE Transactions on Reliability , Vol. R-27- No. 1, April 1978, pp 7-15. 



92 


(14) Pelto, P. J. , and Purcell, W. L., "MFAULT: A Computer Program for Analyzing 

Fault Trees", Battelle Pacific Northwest Laboratories, BNWL-2145, 

November 1977. 

(15) Hopkins, A. L., et al, "FTMP - A Highly Reliable Fault-Tolerant Multiprocessor 
for Aircraft", Proceedings of the IEEE, Vol. 66, No. 10, October 1978, 

pp 1221-1239. 



A-1 




I 

I 


APPENDIX A 


DETAILS OF APPLICATION OF PERFOEMABILITY 
ANALYSIS OF THE DUAL-DUAL PROBLEM 





A-2 


APPENDIX A 

DETAILS OF APPLICATION OF PERFORMABILITY 
ANALYSIS OF THE DUAL-DUAL PROBLEM 

This appendix provides details of the application of performability 
analysis to the dual-dual problem. The problem is described in an earlier 
section of the report. In addition, the performability analysis solution is 
summarized in the section entitled "Analysis Results". 




A-3 


Model Hierarchy 


Aircraft Performance Level 
Mission Level (Level 0) 
Function Level (Level 1) 
Component Level (Level 2) 




K 


0 


K 


1 


Kz 


Notation 

The characteristic function is: 

Y = KqK^K2 : 3*A 

For u £ u2, 

y(u) = (KqK3^K2)(u) 

= KoCk^(K2(u)) 

The level 0 characteristic function is: Yq = Kq. 

The level 1 characteristic function is: = ^0^1* 

The level 2 characteristic function is: y = y = K K,K„. 

2 0 12 

The probability the mission results in accomplishment level a^ 
is: 

P(a^) = Pj.(Y~^(an)) • 


Accomplishment Set 

The set of mission outcomes in the Aircraft Performance Level is 
the accomplishment set A: 

^ ^ 1 » ^ 2 ^ 

where 

Sq = safe flight and successful CAT II conditions landing at the 
primary destination 

a^^ = safe flight and landing at alternate destination 
a 2 = unsafe flight. 

Accomplishment level Sq requires that the conditions for "safe flight" and 
"no diversion" in the problem statement are satisfied. Failure to satisfy 



A-4 


the "no diversion" conditions will result in as long as the "safe flight" 
conditions are met. If the "safe flight" conditions are not met, then a .2 
results whether or not the "no diversion" conditions are satisfied. 

Mission Level (Level 0) Model 


Let 

hj^ = 1 if no diversion occurs 

I 0 otherwise 

and 

h2 = 1 ^ flight is safe 

[o otherwise. 

The Level 0 trajectory space is: 




h^£ {0,1} 


Kr 


O'- 


-> A 


The Level 0 inverses are: 


(aQ> = KQ-l(ao) = 


^0 ^ (ai) = Ko“^(ai) = 
Yq- 1 (a2> = Ko"^(a2) = 


where * indicates "any possible value" (in this case, 0 or 1) 


Function Level (Level 1) Model 


Let function i (i = 1,2,3, 4) be the set of jobs performed by the 
components in set where: 

Sj_ = {Radar altimeter, VOR, DME) 

52 = {DAD, AHRS, INS} 

53 = {Sensor RT, FCMS, Aft RT} 

54 = {FCC-1, BIU-1, FCC-2, BIU-2}. 



A-5 


fi = 


Define 

/ 

2 if function i meets the "no diversion" requirements 
1 if funciton i meets the "safe flight" requirements 
but not the "no diversion" requirements 
[0 otherwise. 

The Level 1 trajectory space is 

Tfi 

f2 f. €{0,1.2} 

f3 

f4 

Ul > UO ^^0 — 

We need to determine for all aj^fA. This will be 


ul = 


accomplished by characterizing K^“l for all u€U^ and then combining with 

Yq~1 = Kq“ 1 (from the level 0 model) . 

Let (i = 1,2) be the mapping defined on U® as the projection onto 
ry; 

C^(u) = Cj 


the i*-^ entry; 


hi 

h2 


hi- 


Pictorially we have; 


€ U-* 


Ki 


hi 

h2 


€ u®- 


lQ_ 


^ an€ A 


Ci 


The composite map C^Kj_; ul — ^*{h£} relates each v € ul to a single h^ value. 
The inverse is defined as follows ; 


For u = 


h2 


(CiKp-l(h^) = {v€ul I Cj^(Kjl(v)) = hi>. 

€ U®, the inverse image K]^~l(u) € can be written as; 


K- 


l-l(u) = (CiKi)‘-"(hi) n ( 02 %) --L (h2) 


,-l 


-1 



r 


A-6 


We will specify (C^K]^)"^(h^) for all (i=l,2) and then form 
each u € Finally, since £ U^» we will form the 


rflCa^) = (KoK3_)-l(an) = (J %'^(u) . 

YQ-l(an) 


The inverses for the h^ are as follows : 


For hj_ = 1 (no diversion) : 

"2 
I I 

.-1 


(CiK3^)--^(1) = 


For hi = 0 (diversion): 
(CiKi)-l(O) = 



"0 or r 


2 


2 


2 





0 or 1 


2 


2 



* 


* 


0 or 1 


2 



* 

j 

* 


* 


0 or 1 



where * represents "any possible value" (in this case. 


For h,, = 1 (safe flight) : 


(C2%)'^(1) = 


1 or 2 
1 or 2 
1 or 2 
1 or 2 

For h2 = 0 (unsafe flight) : 


1(0) = 



“o 


1 or 2 


1 or 2 


1 or Z' 



* 


0 


1 or 2 


1 or 2 



* 


* 


0 


1 or 2 


k 

* 

) 

* 


* 


_ 0 _ 



The inverses of the a^ are formed as follows: 


Let Uj^ = 


Recall Yq'ICSq) = 

Ki-l(ui) = (CiKi)“l(l) n (C2 Ki)"1(1) 


(u) for 
inverse: 


0, 1, or 2) . 



A- 7 




-1/ 




1 


II 


2 




2 

> 



2 _ 



and 


Recall Y ~^(ai) = 
0 1 


K3^~^(u 2) = (CiK^)~^(0) n (C2K^)~^(1) 



Let Uo 


-1 



- 1 , 


Kfl(u2) = 


* 

_ — 


r- 




_ — 



1 


2 


2 


2 



1 or 2 


1 


2 


2 

> 


1 or 2 


1 or 2 


1 


2 



1 or 2 


1 or 2 


1 or 2 


_ 1 _ 




) 

— 

) 

— ^ 

} 




and = K^~^(u 2 ) 


Recall YQ~l(a2) = 



Let U' 



Kj^'^Cus) = (Cj^K^)-l(*) n (C2 Ki)“1(0) = (C2K^)'^(0) 


and Yi"^(a 2 ) = (C 2 Kj^)~^( 0 ) . 

Summarizing the Level 1 Inverses: 


Y^-l(ao) = 


~2 ' 


2 

> 

2 


1 

ro 

i 



Yj^'^(ai) = 


■ 1 


2 


2 


~2 

1 or 2 


1 


2 


2 

1 or 2 


1 or 2 


1 


2 

_1 or 2_ 

3 

1 or 2_ 


1 or 2_ 

4 

_1_ 


Y^l(a2> = 




i_-_: f 1- 


1 or 2 
0 
* 

A 


1 or 2 
1 or 2 
0 
A 


- f - 


1 or 2 
1 or 2 
1 or 2 
0 



A-8 


Component Level (Level 2) Model 


Let 

= number of units of component i which are fault-free in 
Phase j ( 3 = 1 , 2 ). 

The component subscripts i (i=l,2, . . . ,13) and the domains of the are 
defined in Table 1. The Level 2 trajectory space is the set of 13 by 2 
matrices . 

u2 = {[Xij] I i = 1, 2, 13 and j = 1,2}. 

Rows of [x^j] correspond to components and columns correspond to phases. 
U2 can be functionally related to the accomplishment set A as follows: 


Ko 


Y =K K 
10 1 




u-* 
- 1 / 


A 


The inverses ^^n^ were specified in the preceding section. 
We now need to specify Y -1 (y K )“^ for all a € A. This will be accom- 

2 1 1 2 n 

plished by characterizing K 2 ”-*- for all v€ U'*' and then combining K 2 with 

Y -1 
^1 • 

Let (i = 1,2, 3, 4) be the mapping defined on as the pro- 
jection onto the i^'^ entry: 



Pictorially we have: 


xil 

X21 


^13,1 


^12 

X22 



e U-* 




^13,2 




A-9 


Then 


(a 


iK2)-l(fi) = {weU^ I (k2(w)) = f^} 


and for v = 


f2 


eul. 




K2"^(v) = n (aiK2)"^(f^) . 
i=l ^ 

According to the descriptions of perf ormability analysis, the 
next steps are: 

Specify the sets (a^K 2 )~^(f£) for all f^ (i=l, 2,3,4) 

For each ve , determine K 2 ~^(v) using the intersections 

of the (aiK 2 )“^(fi) 

• Compute Y~^(an) = K 2 ~^(v) 

V 6Y^-l(an) 

• Compute P(a^) = 

Each Y~^(an) is a set of 13 by 2 [x^ j ] matrices in U^. The 
trajectory space has the structure Q x Q where Q is the state space of 
13-dimensional vectors: 


Q = 


, •• 




^1 



X2 



. 



• 

3L 



where each x^ corresponds to Xj^j in Table 1 (i.e., the phase subscript j is 
omitted) . 

Q is a space of dimension 13. While it is conceptually possible 
to find inverses of elements of in Ij2 = Q x Q and to develop the probability 
transition matrices, the practical aspects of such an undertaking are prohibi- 
tive. 

We can proceed by decomposing Q into mutually independent subspaces. 
Two subspaces are independent if, for all q in the space, the values of the 
components of q in each subspace are not impacted by the values of the com- 



A-10 


TABLE 1. COMPONENT VARIABLES x^- ^ FOR THE LEVEL 2 MODEL 


Component i Domain of x.,- j 


Radar Altimeter 

1 

0,1 

VOR 

2 

0,1,2 

DME 

3 

0,1,2 

DAD 

4 

0,1,2 

AHRS 

5 

0,1 

INS 

6 

0,1 

Sensor RT 

7 

0,1,2 

FCMS 

8 

0,1,2 

Aft RT 

9 

0,1,2 

FCC-1 

10 

0,1 

BIU-1 

11 

0,1,2 

FCC-2 

12 

0,1 

BIU-2 

13 

0,1,2 




A-11 


r 

I 

r 


I 


j 


ponents of q in the other subspace. By virtue of their independence, we can 
find inverses and compute probabilities in each subspace. From a practical 
point of view, the dimension of each subspace will be manageable. 

Decompose Q into four subspaces, denoted by Qj^, and defined as 


follows: 


Qi = 


Qz 


Q3 - 


Q4 = 






^1 


X2 

. 

J 3 J. 

f 

I4I 

] 

\ 

^5 

V 


r 


' 

^8 [ 

. 





^11 

I 

1 

^12 

i 



The components for each subspace were chosen to assure mutually independent 
subspaces. Table 2, (which is based on Table 2 of the problem statement) , 
formed the basis of selection. The DAD, AHRS, and INS interact and are 
grouped to form Q 2 . The FCCs and BIUs interact and are grouped to fom Q^. 

The remaining components are all independent with respect to Q 2 , Q^, and each 
other. For convenience, they are grouped into two subspaces, each of dimension 
three. Note that the components in subspace i correspond to the components 
comprising function i. 

Since the f^ are independent in terms of their contributions to 
the mission outcome, the performability analysis can be completed according 
to the following steps: 

• Specify subspace 

• Compute Pr(F^=f^) = Pr [(a^K 2 )~^(fi) ] using equation 5 in 
Reference 1 (where F^ represents function i) 




For each v = 


fl 

fo 


eY^”^(an). compute 


4 

TT Pr(Fi=f .) 
i=l 


f4 





TABLE 2. COMPONENT REQUIREMENTS FOR MISSION PERFORMANCE LEVELS 


MINIMUM COMPONENT REQUIREMENTS 

Safe Flight Initiate CAT II Complete CAT II 

Component (both phases) Landing (T=73 min) Landing (T=75 min) 


Radar Alt. 

Digital Air Data 

AHRS 

INS 

VOR 

DME 

Sensor RT 
PU-I 
PU-II 
FCMS 
Aft RT 



1 

1 

1 

1 



1 



1 

1 


1 

1 

1 

1 


where 

PU = processing unit 

PU-I: one FCC with one associated BIU 
PU-II: one FCC with both associated BIUs 


) 


J 


J 


J 


A-12 


A -13 


r 




Sum the products 

P(^n) • 


4 

IT Pr(Fi=fi) 
i=l 


for all v6y ~^(a ) to obtain 
1 n 


The procedure and computations for subspace are explained in 
some detail. Since subspaces Q2, Q3, and are treated analogously, ex- 
planations are omitted from those computations. 


r 


I 

I 


r' 

i 


j 


Subspace Qi . The inverse images (aj^K2)“^(fj^) can be completely specified 
in terms of the trajectory subspace ~ Ql ^ Ql where = 


Using Table 1 we can form the following table: 


X, 


Xo 


X. 



No 

Diversion 

Safe 

Flight 

Phase 

1 

Phase 2 

Phases 

1 and 2 


1 


1 


* 

X2 

2 


1 or 2 


* 

X 3 

1 or 

2 

* 


■k 


where * represents 


(»iK^) 


-1 


(f^): 


(a K ) 
1 2 


-1 


"any possible value". From this 


( 2 ) 







1 

1 



2 

1 or 2 

► 


1 or 2 

* 





.. 


table we can specify the 


(a^^K^) ^(1) 


(aiK2)~^(0) 



1 0 


1 1 


0 * 


2 * 


2 0 


* A 


1 or 2 * 

y 

1 or 2 ^ 

y 

A A 








1 

A 


1 

A 

0 or 1 

A 


2 

A 

A 

A 

y 

_o 

A 


r- 


A-14 


The states in the subspace are diagrammed in Figure 1. We can 
write the elements of the above secs as Cartesian sets in terms of the state 
numbers: 


1 

2 

1 or 2 


1 

1 or 2 
* 


= 


{1, 2} X U, 2, 3, 4, 5, 6} = V, 


- 








1 

0 


1 

1 



2 

A 


2 

0 



1 or 2 

* 

7 

J^or 2 

* 



= {1, 2} X {7} = V2 










0 * 


1 * 


1 * 



* * 


0 or 1 * 


2 * 



A A 


A A 


0 * 



— — 


— 





^ = {3, 4, 5, 6, 7} X Q = V, 


Hence, 

(aiK2)-l(2) = 

(aj_K2)"^(l) = V2 U V3 

(aiK2)~^(0) = 0. 

From Reference 1 we have, for each 
Pr(V^) = 1(0) • • ?2 • G^.^2 ‘ ^ 


where 


1 ( 0 ) =[ 1000000 ] 

F=[lllllll]^ (t indicates "transpose") 

= intraphase transition matrix for phase k 
Gy^ = characteristic matrix for Vjj and phase k. 
The intraphase transition matrix is Pj^ = [Pj^(i,j)] 

where 


Pj^(i,j)= Pr (system ends phase k in state j | system begins phase k 
in state i) . 

Each Pj^(i,j) is expressed in terms of 

Pjj = exp(-Xjjtj^) = Pj. (component of type n does not fail in time tj^) 
% = 1-Pn 


where 


= failure rate of a type n component 
tj- = duration of phase k. 





A-16 


Figure 2 presents Pj^ for subspace Since the same model (i.e., subspace) 

is used in each phase, the only difference between and P 2 is in their 
durations. 

The characteristic matrix for phase k of the Cartesian set 
is k = k where 

Gv = r 1 if i“j and i 6 kth state set of 

I 0 otherwise 


The role of Gy k is to select the output states of the intraphase transition 

n> 

matrix Pj^ which correspond to the Caresian set Vj^. Multiplying Pj^ by Gy 
puts zeros in all columns of Pj^ except those corresponding to the phase k end 


states of V, 


n’ 


The symbolic computations to derive PrCV^) in terms of the Pj^(i,j) 
ctre as follows: 

Vi = {1,2} X {1,2, 3, 4, 5, 6} 


ll 1 


1 

0 

0 


\ 0 

0 



0 ° 


0 ' 



^ 1 

0 


0 _ 


1(0) • Py^i = [Pl(l,D Pi(l,2) Pi(l,3) P^(l,4) Pj^(l,5) P^(l,6) P^(l,7)] 
1(0) • Py^i • Gy^^j^ = [Pi(l,D Pi(l,2) 0 0 0 0 0] 


^V,2 ■ Gvi^2 • F - 

P2(l,l) +P2(1,2) + P2(1,3) + P2(1,4) + P2(1,5) + P2(1,6) 

P2(2,2) + P2(2,4) + P2(2,5) + P2(2,6) 

P2(3,3) + P2(3,4) + P2(3,6) 

P2(^,^) + P2(^.6) 

P2(5,5) + P2(5,6) 

P2(6,6) 


0 



' T : > ‘:i : i “■) -3 ' 3 - 3 1 ■' ■3 i ~:i -) ;--i "i ) n 


p 


k 


p p 2p 2 

r 2 3 


2 PiP,q 2 P 3 " 

^^1^2*^ 2^ 3*^ 3 

2 2 
PpPj qj 

^^1^2^12^ 3 

+ Pj^q 

0 

p p ^p 
12 3 

0 

^*’l^2‘^2^3 


2PiP 2^2*13 

’i + ‘■o 

0 

0 

p p p ^ 
12 3 


0 


qp + Ppq 

0 

0 

0 

^^2^3 

0 

’^1^2^3 

"i + '’i’ 

0 

0 

0 

0 

p p ^ 
12 

^^1^2^^ 2 

"1 + ’’i'* 

0 

0 

0 

0 

0 

^1^2 

’1 + ‘’1’ 

0 

0 

0 

0 

0 

0 

1 



FIGURE 2: INTRAPHASE TRANSITION MATRIX FOR SUBSPACE Q^. 

SUBSCRIPTS ON THE P^ TO INDICATE PHASE k ARE 

OMITTED. P. = exp[-X,t, ] q. = 1 - P. 

X i k 1 


A-17 


A-18 


P (V ) = 1(0) • P • G • P • G • F 
r ^ ^ v,l 1 V,2 V, 2 

X, 

6 

= p.(i,i) • Z 
j=l 

+ P^(l,2) [P2(2,2) + P2(2,4) + P2(2,5) + P2(2,6)] 
Next, = {1,2} X {7} 


"'V 1 

2 , 





1 ( ) 


0 ( ) 

0 

( 

2 

0 

0 

1 


> 

0 

0 

c 


f A 0 

1 y 0 


0 

ol 

) 


1 


1(0) • Py 1 • 1 = [P^d.l) 0 0 0 0 0] 

2 , 


^V,2 • 2 • F 

^ 9 


P2 ( 1 . 7 ) 

P 2 (2,7) j 
P 2 (3,7) 

?2 (4,7) I 
P 2 (5,7) ; 

?2 (6,7) ; 

P 2 (7,7); 

PrCV^) = P^(1,1)P2(1,7) + P^(l, 2)P2(2,7) 


Next, 


V 3 = {3, 4, 5, 6 , 7} X {1,2, 3, 4, 5, 6, 7 } 


"3,^ = 



1 

1 


2 ^7 

9 


1(0) • P^^^ • G^ ^ = [0 0 P^(l,3) P3^(1,4) P3^(1,5) P^(1,6) P^(1,7)] 

3 9 

^,2 • V 2 • ^ - '■ v .2 f - [1 1 1 1 1 1 11 ' 

3 9 


Pr(V 3 ) = P^(l,3) + P^(l,4) + P^(l,5) + P^(l, 6 ) + P^(l,7) 



A-19 


From Table 1 of the problem statement: 



Component 

MTBF(hrs) 

^n 

1 

Radar Alt. 

700 

.001429 

2 

VOR 

1000 

.0010 

3 

DME 

1000 

.0010 


The numerical inputs for the Pn,9n follows: 


Component 

Phase 1 


1 Phase 2 

i 

Pn 

9n 


Pr 

9 r 


1 

.99826341 

1.73659 

E-3 

.99995238 

4.76180 

E-5 i 

2 

.99878407 

1.21593 

E-3 

.99996667 

3.33328 

E-5 . 

3 

.99878407 

1.21593 

E-3 

.99996667 

3.33328 

E-5 


where "E-a" represents 10“^. 

Using the above values and Figure 2, the following values are computed: 


p^d.i) = 
Pj^Cld) = 
= 

P3_(1,4) = 
Pj^Cl.S) = 
Pj^Ci.e) = 
p^dd) = 

P2dd) = 

P2d.2) = 
P2d.3) = 
P2d.4) = 
P2d»5) = 

P2d.6) = 

P2d.7) = 


.99341698 
2.41879 E-3 
2.41879 E-3 
5.88929 E-6 
1.47232 E-6 
3.58483 E-9 
1.73806 E-3 

.99981907 
6.66558 E-5 
6.66558 E-5 
4.44379 E-9 
1.11095 E-9 
7.4 E-14 

4.76191 E-5 


A-20 


= .99985240 
= 6.66580 E-5 
P2(2,5) = 3.33290 E-5 
P2(2,6) = 2.22197 E-9 
P2(2,7) = 4.76191 E-5 

P2(3,3) = .99985239 
P2(3,4) = 6.6657981 E-5 
P2(3,6) = 1.11098 E-9 
P2(3,7) = 8.0949212 E-5 

P2(4,4) = .99988572 
P2(4,6) = 3.333010 E-5 
P2(4,7) = 8.094921 E-5 

P2(5,5) = .99988572 
P2(5,6) = 6.6660203 E-5 
P2(5,7) = 4.7619111 E-5 

P2(6,6) = .99991905 
P2(6,7) = 8.0949212 E-5 


Substituting the Pj^(i,j) values into the expressions yields: 

Pr(Vi) = .995788 
Pr(V2> = 4.74208 E-5 
P^(V3) = 4.16422 E-3. 

Finally, we have: 

Pr(F2=2) = Pr(Vi) = .995788 

Pr(Fi=l) = Pr(V2) + = 4.21164 E-3 

P3,(Fi= 0) = Pr(0) = 0. 



A-21 


£ {0,1,2}, is a union of Cartesian sets in 


Safe Flight 
Phase 2 Phases 1,2 



Figure 3 displays the state diagram for 




A-23 


! 


i 


I 



I 


A state number is associated with each q £ Q 2 - Using the state numbers we 
can rewrite the above table as: 



No Diversion 

Safe Flight 

Condition 

Phase 1 Phase 2 

Phases 1,2 

States 

1,2,3 1,2, 3, 5, 

1,2,3, 


6,7,8,11 

5,6,7 


The (o 2 K 2 )~^(f 2 ) sets can now be written in terms of Cartesian 
sets of states in Q 2 : 

(a 2 K 2 )“^( 2 ) = where 

= {no diversion, phase 1 } x {no diversion, phase 2 } 

Vi = {1,2,3} X {1,2,3,5,6,7,8,11} 

^“ 2 ^ 2 ^”^^^^ = V 2 u V 3 where 

V 2 = {no diversion, phase 1 } x {diversion and safe flight, phase 2 } 
V 2 = {1,2,3} X 0 

and 

V 3 = {diversion and safe flight, phase 1 } x {safe flight, phase 2 } 
V 3 = {5,6,7} X {1,2, 3, 5, 6 , 7} 

(a 2 K 2 )“^( 0 ) = U u Vg where 

= {unsafe, phase 1 } x {all states, phase 2 } 

V4 = {4,8,9,10,11,12} X Q2 

and 

V 5 = {no diversion and safe, phase 1 } x {unsafe, phase 2 } 

V 5 = {1,2,3} X {4,9,10,12} 

and 

Vg = {diversion and safe, phase 1 } x {unsafe, phase 2 } 

Vg = {5,6,7} X {4,8,9,10,11,12}. 

Figure 4 shows the intraphase transition matrix. The symbolic com- 
putations for Pj.(V^) are as follows: 



P(l,l) 

P(l,2) 

P(l,3) 

P(l,4) 

P(l,5) 

P(l,6) 

P(l,7) 

P(l,8) 

P(l,9) 

P(l,10) 

P(l,ll) 

P(l,12) 

0 

P(2,2) 

0 

P(2,4) 

0 

P(2,6) 

0 

0 

P(2,9) 

P(2,10) 

0 

P(2,12) 

0 

0 

P(3,3) 

P(3,4) 

0 

0 

P(3,7) 

0 

P(3,9) 

0 

P(3,ll) 

P(3,12) 

0 

0 

0 

P(4,4) 

0 

0 

0 

0 

P(4,9) 

0 

P(4,ll) 

P(4.12) 

0 

0 

0 

0 

P(5,5) 

P(5,6) 

P(5,7) 

P(5,8) 

P(5,9) 

P(5,10) 

P(5,ll) 

P(5,12) 

0 

0 

0 

0 

0 

P(6,6) 

0 

0 

P(6,9) 

P(6,10) 

0 

P(6,12) 

0 

0 

0 

0 

0 

0 

P(7,7) 

0 

P(7,9) 

0 

P(7,ll) 

P(7,12) 

0 

0 

0 

0 

0 

0 

0 

P(8.8) 

0 

P(8,10) 

P(8,ll) 

P(8,12) 

0 

0. 

0 

0 

0 

0 

0 

0 

P(9.9) 

0 

0 

P(9.12) 

0 

0 

0 

0 

0 

0 

0 

0 

0 

P(10,10) 

0 

P(10,12) 

0 

0 

0 

0 

0 

0 

0 

• 0 

0 

0 

P(ll,ll) 

P(ll,12) 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

1 



FIGURE 

4 . INTRAPHASE TRANSITION 

MATRIX 

FOR Vj£ 

Q2 and phase k 



A 

J . 

•) - 

J .) 

1 . 

- J . 

. 1 


. 1 

) , ) 

J 

,1 ) 


A-24 



A-25 


I 


r~ 

I 


= {1,2,3} X {1,2,3,5,6,7,8,11} 

1(0) • ^ Pi(1.2) Pj^(1,3) 00000000 0] 

^V,2 • Si^2^ " 

P^Cl.l) + + P2(1,3) + P2(1,5) + P2(l,6) + P2(l,7) + P2(l,8) + P2(1,U) 

P2(2,2) + P2(2,6) 

P2(3,3) + P2(3,7) + P2(3,ll) 

0 

P2(5,5) + P2(5,6) + P2(5,7) + P2(5,8) + P2(5,ll) 

P2(6,6) 

P2(7,7) + P2(7,11) 

P2(8,8) + P2(8,11) 

0 

0 

P2(ll,ll) 

0 


Pr(V^) = 1(0) 


P *G *P *G *F 

""V,! "'Vi,! “"v,! Ni,2 


= P^(l,l) [P2(1,D + P2(1.2) + P2(1.3) + P2(l,5) + P2(l,6) + P2d.7) + P2(l,8) 

+ P 2 a.ll)] 

+ P3^(1,2)[P2(2,2) + P2(2,6)] 

+ P^(1,3)[P2(3,3) + P2(3,7) + P2(3,ll)j 


Pr(V 2 ) = 0 (since Pj.(0) = 0) . 


V, 


{ 5 , 6 , 7 } X { 1 , 2 , 3, 5, 6, 7} 


V,1 


■' 3 ,^ 


[ 0 0 0 0 Pj^(l,5) P^(l,6) P^(l,7) 0 0 0 0 0] 


Next, 
1(0) • P, 



A-26 


P • G • F 

V,3 V„ 3 

P^d.l) +P2(1,2) + P2(1,3) + P2(1,5) + P2(1,6) +P2(1,77I 

P2(2,2) + P2(2,6) I 

P2(3,3) + P2(3,7) j 

0 I 

I 

P2(5,5) + P2(5,6) + P2(5,7) 

P2d,6) I 

p2(7,7) : 

0 

0 

0 

0 

0 

Pr(V3) = Pi(1,5)[P2(5,5) + P2(5,6) + P2(5,7)] 

+P^(1,6)P2(6,6) +P^(1,7)P2(7,7) 

Next, = {4,8,9,10,11,12} x Q 

• "v,i • V 1 

^ 9 

= [0 0 0 P^(l,4) 0 0 0 Pj^(l,8) Pj_(l,9) P^(l,10) P^(l,ll) P^(l,12)] 

P • G • F = [1 1 1 1 1 1 1 1 1 1 1 1]*^ 

4, 

Pr(V 4 ) = P^(l,4) + P^(l,8) + P^(l,9) + P^(l,10) + P^(l,ll) + P^(l,12) 

Next, V 5 = {1,2,3} x {4,9,10,12} 

1(0)- Py^^ ‘Si" P3^(1,2) Pj^(1,3) 00000000 0] 



A-27 


^V,2 ’ S 2 ■ ^ " I ■*■ 

P 2 ( 2 , 4 ) + P 2 ( 2 , 9 ) + P 2 ( 2 , 10 ) + P 2 ( 2 , 12 ) 
P 2 ( 3 , 4 ) + P 2 ( 3 , 9 ) + P 2 ( 3 , 12 ) 

+ P2(4,9) + P2(4,12) 

P 2 ( 5 , 9 ) + P 2 ( 5 . 10 ) + P 2 ( 5 , 12 ) 

P 2 ( 6 , 9 ) + P 2 ( 6 , 10 ) + p 2 ( 6 , 12 ) 

P 2 ( 7 , 9 ) + P 2 ( 7 , 12 ) 

P 2 ( 8 , 10 ) + P 2 ( 8 , 12 ) 

P 2 ( 9 , 9 ) + P 2 ( 9 , 12 ) 

P 2 ( 10 , 10 ) + P 2 ( 10 , 12 ) 

7^ai,12) 

PrCV^) = P^(1,1)[P2(1’~) +^P2(1.9) + P2(1,10) +P2(1,12)] ~ 

+ P^( 1 , 2 )[P 2 ( 2 , 4 ) + P 2 ( 2 , 9 ) + P 2 ( 2 , 10 ) +P 2 ( 2 , 12 )] 

+ P^(1,3)[P2(3,4) + P2(3,9) + P2(3,U) + P2(3,12) 


Next, 
1(0) ■ 

^,2 ^ 


Vg = {5,6,7} X {4,8,9,10,11,12} 

P^,l • 1 = to 0 0 0 Pj^(l,5) P^(l,6) P^(l,7) 0 0 0 0 0] 

6 , 


V, 2 
D> 


F = 


P2(1,4) + P2(1,8) + P2(1,9) + P2(l,10) + P2(1,H) + P2d.l2) 
P 2 ( 2 , 4 ) + P 2 ( 2 , 9 ) + P 2 ( 2 , 10 ) + P 2 ( 2 , 12 ) 

P 2 ( 3 , 4 ) + P 2 ( 3 , 9 ) + P 2 ( 3 ,ll) + P 2 ( 3 , 12 ) 

P 2 ( 4 , 4 ) + P 2 ( 4 , 9 ) + P 2 ( 4 ,ll) + P 2 ( 4 , 12 ) 

P 2 ( 5 , 8 ) + P 2 ( 5 , 9 ) + P 2 ( 5 , 10 ) + P 2 ( 5 ,ll) + P 2 ( 5 , 12 ) 

P2(6,9) + P2(6,10) + P2(6,12) 

P 2 ( 7 , 9 ) + P 2 ( 7 , 11 ) + P 2 ( 7 , 12 ) 

P2(8,8) +.P2(8,10) +P2(8,11) + P2(8,12) 

P2(9,9) + P2(9,12) 

P2(10,10) + P2(10,12) 

P 2 (ll,ll) + P 2 ( 11 , 12 ) 


I 



A-28 


Pr(Vg) = P^(1,5)[P2(5,8) + P^CS.Q) + P^CS.IO) + +P2(5,12)] 

+ P^(1,6)[P2(6,9) + P^Ce.lO) +P2(6,12)] 

+ P^(1,7)[P2(7,9) +>2(7,11) +P2(7,12)] 

Using the MTBF data from the problem statement: 



Phase 1 

Phase 2 

n 

Pn 

'In 

Pn 

qn 

4 

.99939185 

6.08148 E-4 

.99998333 

1.66666 E-5 

5 

.99848032 

1.51968 E-3 

.99995833 

4.16659 E-5 

6 

.99595266 

4.04734 E-3 

.99988890 

1.11105 E-4 


The Pj^(i,j) computations are: 

P,(l,l) = P/P^P^ = .99322997 
X 4 j o 

P-(l,2) = P.^P.q, = 4.036278 E-3 
1 4 5 o 

Pj^(l,3) = 1 * 4 ^ 95^6 “ 1.511687 E-3 
P, (1,4) = P.^-q^ = 6.14318 E-6 

X 4 j b 

P,(l,5) = 2P,q,P^P. = 1.208798 E-3 
1 4 4 5 0 

P^(l,6) = 2P^q^P^qg = 4.91230 E-6 

P^(l,7) = 2P^q^q^Pg = 1.83978 E-6 

P-(l,8) = q/ P P, = 3.67788 E-7 
X 4 5 6 

Pj_(l,9) = 2P^q^q^qg = 7.47647 E-9 

Pj^(l,10) = q4^P5qg = 1.49461 E-9 

P-(l,ll) = q.^q^P, = 5.5977 E-10 
1 4 6 

P^(l,12) = q^^q59g = 2.27 E-12 

P2(l,l) = .99981390 
P2(1,2) = 1.11097 E-4 
P2(1,3) = 4.16599 E-5 
P2(1,4) = 4.62914 E-9 
P2(1,5) = 3.33276 E-5 


P2(1,6) = 3.70327 E-9 


A-29 


= 1.389 E-9 
P^d.S) = 2.78 E-10 
P2(1,9) = 1.5 E-13 
P2(l,10) = 3.1 E-14 
P^Cl.ll) = 1.2 E-14 
P2(1,12) = 1.3 E-18 

P-(2,2) = P.^Pc = .99992499 
2 4 5 

P2(2,4) = P^^q^ = 4.16645 E-5 

P-(2,6) = 2P,q,P- = 3.33313 E-5 
2 4 4 5 

P2(2,9) = 2P^q^q^ = 1.38883 E-9 
P2(2,10) = q^^P5 = 2.78 E-10 
P2(2,12) = q^^3 = 1.16 E-14 

P^O,!) = P^^Pg = .99985556 

P2(3,4) = P^^q^ = 1.11101 E-4 

P2(3,7) = 2P^q^Pg = 3.33289 E-5 
P2(3,9) = 2P^q^qg = 3.7034 E-9 
P2(3,11) = q^^Pg = 2.778 E-10 
P2(3,12) = q^^qg = 3.1 E-14 

P2(4,4) = = .99996666 

P„(4,9) = 2P,q, = 3.33326 E-5 

2 4 4 

P2(4,12) = q^^ = 2.78 E-10 

P-(5,5) = P,P=P^ = .99983056 
2 4 5 6 

P2(5,6) = P^P5qg = 1.11099 E-4 
P2(5,7) = P4q5Pg = 4.16606 E-5 
P2(5,8) = q4P5Pg = 1.66641 E-5 



A-30 


= P4q5qg = 4.62921 E-9 
P2(5,10) = 94^595 = 1.852 E-9 
P^CS,!!) = 9495?^ = 6.94 E-10 
= 949595 = 7.7 E-14 

P2(6,6) = P^P^ = .99994166 
P2(6,9) = P^q^ = 4.16652 E-5 
P2(6,10) = 94P3 = 1.66659 E-5 
P2<6,12) = 9495 = 6.9442 E-10 

^2(7, 7) = P^Pg = .99987223 
P2<7,9) = P^qg = 1.11103 E-4 
P2(7,11) = 94^5 = 1.66647 E-5 
P2(7,12) = q^9g = 1.852 E-9 

P2<8,8) = P^Pg = .99984723 
P„(8,10) = P.q, = 1.11100 E-4 

Z 0 0 

P2(8,11) = 95^5 = 4.16613 E-5 
P2(8,12) = q^qg = 4.629 E-9 

P2(9,9) = P4 = .99998333 
P2(9,12) = 94 = 1.66666 E-5 

P2(10,10) = P5 = .99995833 
P2(10,12) = 95 = 4.16659 E-5 

P„(ll,ll) = = .99988890 

Z. D 

P.,(ll,12) = q, = 1.11105 E-4 

2 0 



A-31 


Summarizing the probabilities: 

Pr(F2=2) = \(V^) 

= .99877758 

Pr(F =1) = P^(VJ + P^(V-) 
z r z r j 

= 0 + 1.21553 E-3 

= 1.21553 E-3 

Pr(F2=0) = P^(V^) + Pj.(V3) + P^(Vg) 

= 6.5208 E -6 + 3.4073 E-7 + 2.0674 E -8 
= 6.8822 E- 6 . 


Subspace Q 3 . Each (^ 2 ^ 2 ) ^^^ 3 ^’ ^3 ^ 0,1,2 , is a union of Cartesian sets 


in u| = X where = 


^7 

^8 


we have 

: 




No Diversion 

Safety 


Phase 1 

Phase 2 

Phases 1 and 2 


2 

1 or 2 

1 or 2 


2 

1 or 2 

1 or 2 

“9 

2 : 

1 or 2 

1 or 2 


Each q = 


\^ 9 . 


is a state in Q^. Figure 5 presents the state diagram for Q^. 


A state number is associated with each q e Q^. Using the state numbers, we can 
rewrite the above table as: 



No Diversion 

Safe Flight 

Condition 

Phase 1 

Phase 2 

Phases 1 and 2 

states 

1 

1-8 

1-8 


The ( 02 ^ 2 ) (f^) sets can now be written in terms of Cartesian sets of 

states in Q^: 









A-32 



FIGURE 5. STATE DIAGRAM FOR 

= ( 1 , 2 , 3 , 4 , 5 . 6 , 7 . 8 , 9 } 

- Qj * Q3 


A-33 


(«2K2)'^(2) = 
where 


= |no diversion, phase l| x {no diversion, phase 2} 

= { 1 } X { 1 , 2 , 3, 4, 5, 6, 7, 8} 

(oi2K2)"^(l) = ^2 u 
where 

V2 = {no diversion, phase l} x {diversion and safe, phase 2| 
V 2 = { 1 } X ij) 

and 

= {diversion, phase l} x {safe flight, phase 2} 

= { 2 , 3, 4, 5, 6. 7, 8} X {l, 2 , 3, 4, 5, 6, 7, 8) 

(a2K2)-l(0) = u 


where 


= {unsafe, phase l} x {all states, phase 2} 
V4 = { 9 } X Q 


and 


= {safe, phase l} x {unsafe, phase 2} 

= {1,2, 3 , 4 , 5 , 6, 7 , 8} X { 9 } 

Figure 6 shows the intraphase transition matrix. The symbolic computations 
for Pr(V£) are as follows: 


= {1} X {1,2, 3, 4, 5, 6, 7, 8} 

1(0) • = [Pj^(i,D 0 0000000] 



A-34 


V - 


P(l,l) 

P(l,2) 

P(l,3) 

P(l,4) 

P(l,5) 

P(l,6) 

P(l,7) 

P(l,8) 

P(l,9) 

0 

P(2,2) 

0 

0 

P(2,5) 

P(2,6) 

0 

P(2,8) 

P(2,9) 

0 

0 

P(3,3) 

0 

P(3,5) 

0 

P(3,7) 

P(3,8) 

P(3,9) 

0 

0 

0 

P(4,4) 

0 

P(4,6) 

P(4,7) 

P(4,8) 

P(4,9) 

0 

0 

0 

0 

P(5,5) 

0 

0 

P(5,8) 

P(5,9) 

0 

0 

0 

0 

0 

P(6,6) 

0 

P(6,8) 

P(6,9) 

0 

0 

0 

0 

0 

0 

P(7,7) 

P(7,8) 

P(7,9) 

0 

0 

0 

0 

0 

0 

0 

P(8,8) 

P(8,9) 

0 

0 

0 

0 

0 

0 

0 

0 

1 


FIGURE 6. INTRAPHASE TRANSITION MATRIX FOR 

vs-Q^ and phase K 



A -35 


’v,.2 


G , 2 • F 

vl, 


P^d.l) + P2(1.2) 

P2(2,2) + P2(2,5) 

P2(3,3) + P2(3,5) 

P2(4,4) + P2(4,6) 

P2(5,5) + P2(5,8) 

P2(6,6) + P2(6,8) 

P2(7,7) + P2(7,8) 

P2(8,8) 

0 


+ P2(1,3) + P2(1.4) + P2(1,5) + P2(l,6) + P2(l,7) + P2(1.8) 
+ P2(2,6) + P2(2,8) 

+ P2(3,7) + P2(3.8) 

+ P2(4,7) + P2(4,8) 


8 


Pr(v^) = 

j=l 


P2dJ) 


V 2 = {1} x4> 

= 0 since Pr(c{)) = 0 


= (2, 3, 4, 5, 6, 7. 8} x {l, 2, 3, 4, 5, 6, 7, 8} 




. [0 Pj^(l,2)_Pj^(l,3) Pj^(l,4) Pj^(l,5) Pj^(l,6) Pj^(l,7) Pj(l,8) o] 



A-36 


• F 

+ P2(1,2) + P2(1,3) + P2(1,4) + P2(l,5) + P2(l,6) + P2(l,7) + P2(l,8) 
+ P2(2,5) + P2(2,6) + P2(2,8) 

+ P2(3,5) + P2(3,7) + P2(3,8) 

+ P2(4,6) + P2(4,7) + P2(4,8) 

+ P2(5,8) 

+ P2(6,8) 

+ P2(7,8) 


Pr(v2) = P^(l,2) [P2<2,2) + P2(2,5) + P2(2,6) + P2(2,8)] 

+ P^(l,3) [P2(3,3) + P2(3,5) + P2(3,7) + P2(3,8)] 

+ Pj_(l,4) [P2(4,4) + P2(4,6) + P2(4,7) + p2(4,8)] 

+ P^(l,5) [P2(5,5) + P2(5,8)1 

+ P^(l,6) [P2(6,6) + P2(6,8)] 

+ P^(l,7) [P2(7,7) + P2(7,8)1 

+ P^(l,8) . P2(8,8) 


= {9} X q 

1(0) -P ,.G,= [00000000 P, (1,9)] 
v,l v4,l '■ 1 

P „.G,„.F=[l 11111111]*^ 
v,2 v4,2 '• •* 

PrCv^) = P^(l,9) 


v,2 v3,2 


P2(l,l) 

P2(2.2) 

P2(3,3) 

P2(4,4) 

P2(5,5) 

P2<6,6) 

P2(7,7) 

P2(8,8) 



A-37 


= {1.2. 3, 4, 5. 6. 7, 8} x {9} 


I(o) • P T . G , . 

V , 1 v5 , 1 


= [P^d.D P^(1.2) P^(l,3) P^(l,4) P^(l,5) P^(1.6) P^(1.7) P^(l,8).0] 


n 

1 




■v,2 v5,2 


F = 


“P2(i,9r 

P2<2,9) 

P2(3,9) 

P2(4,9) 

P2(5,9) 

P2(6,9) 

P2(7,9) 

P2(8,9) 

P,(9,9) 


8 

Pr(V^) = P^d.j) • P2(j.9) 

J = 1 

Using the MTBF data from the problem statement, P^ 

and q = 1-P , we have: 
n n 


■ V- 


n 

Phase 1 

Phase 2 

P q 

n n 

P q 

n n 

7 

.99756962 2.43038 E-3 

.99993334 6.66645 E-5 

8 

.99939185 6.08148 E-4 

.99998333 1.66666 E-5 

9 

.99756962 2.43038 E-3 

.99993334 6.66645 E-5 



A-38 


The P^(i,j) computations for are as follows: 

P^(l,l) = p/Pg^Pg^ = .989110 

P^(l,2) = ZP^q^Pg^Pg^ = 4.81953 E-3 

P^(l,3) = ZP^^PgqgPg^ = 1.20378 E-3 

P^(l,4) = ZP^^Pg^Pgqg = 4.81953 E-3 

P^(l,5) = 4P^q^PgqgP^^= 5.86554 E-6 

P^(l,6) = 4P^q^Pg2Pgqg = 2.34836 E-5 

P^(l,7) = 4P^^PgqgPgqg = 5.86554 E-6 

P^(l,8) = 8P^q^PgqgPgqg = 2.85804 E-8 

Pj^(l,9) = q^^ + (l-q^^)qg^ + (l-q7^(l-qg^)qg^ = 

P^(l,l) = .999700 
P^d.Z) = 1.33298 E-4 
P2(1,3) = 3.33238 E-5 
82(1,4) = 1.33298 E-4 
82(1,5) = 4.44332 E-9 
82(1,6) = 1.77737 E-8 
82(1,7) = 4.44332 E-9 
82(1,8) = 5.9 E-13 
82(1,9) = 9.1661 E-9 

82 ( 2 , 2 ) = PyPg^^ = .9997667 

82(2,5) = ZP^PgqgPg^ = 3.33260 E-5 

82(2,6) = ZP^Pg^Pgqg = 1.33307 E-4 

82(2,8) = 4P^PgqgPgqg = 4.44362 E-9 

82(2,9) = q^ + P^qg^ + 8^(l-qg^)qg^ = 6.66692 E-. 


1.21833 E-5 



A-39 


P2(3,3) = 
P2(3,5) = 2P^q 
P^O,?) = 2 P^^ 
P2(3,8) = 4P^q 
P 2 ( 3 , 9 ) = qg + 

P^CA.A) = P^^P 
P2(4,6) = 2P^q 
P 2 ( 4 . 7 ) = T2^ 
P 2 ( 4 , 8 ) = 4 P^q 
P 2 ( 4 , 9 ) = qg + 

^2^^’5) ^7^8 

P2(5,8) = 2P^P 
P 2 (^» 9 ) = + 

P2(6.6) = P^Pg 
P2(6,8) = 2P^P 
P 2 ( 6 , 9 ) = q^ + 

P2<7,7) = P^^P 
P 2 ( 7 , 8 ) = 2 P 2 q 
P2(7,9) = qg + 

P 2 ( 8 . 8 ) = P^Pg 
P 2 ( 8 , 9 ) = q^ + 


8^9 


7 ^ 8^9 

^ 8 ^ 9^^9 

7^8^9S 

p q ^ 

8^7 


.999717 
= 1.33300 E-4 
= 1.33300 E-4 


= 1.7774 E-8 


+ Pg(l-q 



2 = 1.66755 
9 


E-5 


g^Pg = .9997667 
^Pg^Pg = 1.33307 E-4 
PgqgPg = 3.33260 E-5 

7V8^9 " ^-^^362 E-9 
Pgq^^ + Pg(l-q2^)qg^ = 6.66692 E-5 


Pg^ = .999783 
gPgqg = 1.33309 E-4 
P^qg + PyPgqg^ = 8.33344 E-5 


^Pg = .999833 
gqgPg = 3.33282 E-5 
P^qg + P^Pgqg^ = 1.33325 E-4 


gPg = .999783 
^PgPg = 1.33309 E-4 
Pgqg + PgPgq^^ = 8.33344 E-5 

Pg = .999850 


000150 



A-40 


Summarizing the probabilities: 

PrCF^ = 2) = Pr(V^) 

= .989110 

PrCF^ = 1) = PrCV^) + PrCV^) 

= 0 + .0108774 
= .0108774 

Pr(F, = 0) = Pr(V.) + Pr(V,) 

3 4 5 

= 1.21833 E-5 + 6.75688 E-7 

= 1.2859 E-5. 


Subspace Q 4 . 

^4^ = Q4 X 


Each (a^K 2 )"^(f^), 
where 

r\ 


X 


10 


X 


11 


e { 0 , 1 , 2 }, is a union of Cartesian sets in 


1&3JI 

Since x^q> ^ ^11’ ^13 ^ > the number of states in 

is 2* 3* 2- 3 = 36 . Lumping all states which correspond to unsafe flight 

reduces the number of states to 17. To reduce this number to a more manageable 

value, we will introduce an additional model level which describes processing 

units (PU). A HJ is defined to be a FCC and its associated BIU's. We will 

first model the behavior of the function f^ in terms of PU's, and then model 

each PU in terms of its components. From the component model we will then be 

combined to derive the probabilities for the function f^. 

Let Y. be the random variable which denotes the state of PU. 
r 1 

(i = 1,2) where the states are defined as follows: 


FCC - i 
Cxio or x^ 2 > 

BIU - i 
(*11 or 

Y. 

1 

1 

2 

2 

1 

1 

1 

1 

0 

0 

0 

* 

0 


where * represents "any possible value". 



A:-41 


Let ^ ij ^ {0.1j2}| . The corresponding trajectory space Is 

IWI ) 

A A /\ 

X Q^. Based on Table 1, the values for no diversion and safety 
can be specified as follows : 



A 

Let L denote the mapping L : ^ {f^} . Using the above table and the 

state diagram for in Figure 7, we can specify the inverses L ^(f^) 

terms of the state numbers: 

L~^(2) = V, 


where 


= {no diversion, phase 1} x {no diversion, phase 2} 
= {1) X {1,2, 3,4,5, 6, 7, 8} 


L~^(l) = V 2 « 


where 


= {no diversion, phase 1} x {diversion and safe, phase 2} 
V 2 = 1 X 


= {diversion and safe, phase l} x {safe, phase 2 } 
V = f2, 3, 4, 5, 6, 7, 8] x {l,2,3,4,5,6,7,8} 


L'^(O) = u 


where 


V = {unsafe, phase l} x fall states, phase 2 } 


V 4 = 9 X 


= fsafe, phase l] x {unsafe, phase z} 
= [ 1 , 2 , 3, 4, 5, 6, 7, 8} x{9}. 








A-42 



FIGURE 7. STATE DIAGRAM FOR AND EACH PHASE 

4 





/ 


A-43 


The intraphase transition matrix is shown in Figure 8. 

The symbolic computations for Pr(V.) are as follows: 


/ 

r 

= [l} X {l 

~1 

0 

0 

0 

,2, 3, 4, 5, 6, 7, 8} 

S. 2 “ 

1 

1 

1 

1 


o 

o 

O 

i> 

\o 

j 

o 

o 

O 


o\ 

r^. 

0 

L ° J 


1(0) = [l 0 0 0 0 0 0 0 Oj 

F = [1 1111 111 l] ^ 


Pr(V^) 

Pr(V^) 


= 1(0) • p . G 

^ ^ V,1 V 1 

8 

= P^ (1,1) • 2 P,(l,j) 

1 j=i 2 


■V,2 




F 


= {l] X 

Pr(V 2 ) = 0 since Pr((j)) = 0. 


^ = 

V 3 = {2,3, 4, 5 

T ~ 

1 

1 

1 

, 6 , 7 , 8 } X {i,2,3,4,5,6 
G,,. 2 = 

,7,8] 

T ~ 

1 

1 

1 

V3, 

‘>0 

V3, 

‘.0 

Pr(V ) = 

3 j 

0-, 

0 _ 
1(0) and F are 

-2 V 1 ^ 

as above . 

1 P (j,k)) 
=1 2 ' 

0‘. 

0 



P(l,l) 

P(l,2) 

P(l,3) 

P(l,4) 

P(l,5) 

P(l,6) 

P(l,7) 

P(l,8) 

0 

P(2,2) 

P(2,3) 

0 

P(2,5) 

P(2.6) 

0 

P(2,8) 

0 

0 

P(3,3) 

0 

0 

P(3,6) 

0 

0 

0 

0 

0 

P(4.4) 

P(4,5) 

P(4,6) 

P(4,7) 

P(4,8) 

0 

0 

0 

0 

P(5,5) 

P(5.6) 

0 

P(5,8) 

0 

0 

0 

0 

0 

P(6.6) 

0 

0 

0 

0 

0 

0 

0 

0 

P(7,7) 

P(7,8) 

0 

0 

0 

0 

0 

0 

0 

P(8,8) 

0 

0 

0 

0 

0 

0 

0 

0 


FIGURE 8. 

INTRAPHASE TRANSITION MATRIX FOR AND 

SUBSCRIPT K IS OMITTED FROM THE P(i,j) 

PHASE K. THE PHASE 
FOR CONVENIENCE 


J . J . ,1 . ) . ,1 . 


P(l,9) 

P(2,9) 

P(3,9) 

P(4,9) 

P(5,9) 

P(6,9) 

P(7,9) 

P(8,9) 

1 


I ) 


j 


) .. J 


) . J .. J ,.J 


) 


A-44 



At45 


\ ^ Q4 

Pr(V^) = P^(l,9) since Pr(Q^) = 1. 

= {1,2. 3, 4, 5, 6, 7, 8} X {9} 


— 

M 

1 

2 = 

o| 
0 ' 

0 
0 

) 1 

\o 

o\ 

0 

V5, 

0 

0 ° 

0 

1 


1(0) and F are as above. 

PrCV^) =Z P^(l,j) . P2(j,9). 

*J“X 


Next, we can compute the P (i,j) probabilities using the individual 

K. 

transition probabilities for each Y^. Let 

Wj^(m,n) = Prjy^ends phase k in state n j begins 

phase k in state . 

The associated state diagram is: 


state number for Y 



FCC BIU 

Let Pp = Pr [fCC remains fault-free for the phase^ = 1-P 

Pg = Pr |a BIU remains fault-free for the phase]] = 1-P 

Then the Wj^(m,n) may be expressed as follows: 


Wj^(ra,n) 

2 

n 

1 

0 

2 

P P ^ 
F B 



m 1 

0 

^F^B 

qp + PpqB 

0 

0 

0 

1 


F 

B 



A-46 


Using MTBF data and phase durations , 



Phase 1 

Phase 2 


.99756962 

.99993334 


2.43038 E-3 

6.66645 E-5 

"b 

.99878407 

1 

.99996667 


1.21593 E-3 

3.33328 E-5 


The above data are used to compute the W^(m,n) : 

n 


W^(m,n) 

2 

1 

0 


2 

.99514514 

2.42299 E-3 

2.43185 E-3 


m 1 

0 

.99635664 

3.64335 E-3 


0 

0 

0 

1 


W (m,n) 
2 

2 

n 

1 

0 


2 

.99986668 

6.66589 E-5 

6.66656 E-5 


m 1 

0 

.99990001 

9.99951 E-5 


0 

0 

0 

1 


Next , the 

W^(m,n) and the 

state diagram 

for (Figure 7) 

are used 

compute the 

,j). Only those 

Pj^(i»j) with positive values are 

computed 



/ 


A-47 

f 


] 

T^a,i) 

= 

\(2,2)^ 

= .990314 


r" 

^^a,2) 

= 

W^(2,2) 

• Wj^(2,l) = 2.41123 

E-3 

/ 

p^Ci.a) 

= 

W^(2,2) 

• W^(2,0) = 2.42004 

E-3 

' 

Pj^a.4) 

= 

W^(2,l) 

• W^(2,2) = 2.41123 

E-3 


Pj^Ci.s) 

= 

W^(2,l)^ 

= 5.87088 E-6 



p^Ci.e) 

= 

W^(2,l) 

• W^(2,0) = 5.89235 

E-6 


P;l(i.7) 

= 

W^(2,0) 

• W^(2,2) = 2.42004 

E-3 

r~' 

P^(1.8) 

= 

W^(2,0) 

• W^(2,l)- = 5.89235 

E-6 

/ 

Pj^(l,9) 

= 

W^(2,0)^ 

= 5.91389 E-6 


r“- 







P2(l.l) 

= 

.9997334 


1 

P2(1,2) 

= 

6.66500 

E-5 



P2(1.3) 

= 

6.66577 

E-5 


1 

P2(1,4) 


6.66500 

E-5 



P2(1,5) 

= 

4.44341 

E-9 



P2(1,6) 

= 

4.44392 

E-9 


i 

P2(1.7) 

= 

6.66577 

E-5 


j 

/ 

P2(1,8) 

= 

4.44392 

E-9 


r“. 

1 

P2U.9) 

= 

4.44443 

E-9 



P2(2,2) 

= 

W2(2,2) 

’ W2(l,l) = .999767 


f 

P2(2,3) 

= 

W2(2,2) 

• W2(l,0) = 9.99818 

E-5 


P2(2,5) 


W2(2,1) 

• W2(l,l) = 6.66522 

E-5 


P2(2,6) 

= 

W2(2,1) 

• W2(l,0) = 6.66556 

E-9 


P2(2,8) 

= 

W2(2,0) 

• W2(l,l) = 6.66599 

E-5 


P2(2,9) 

= 

W2(2,0) 

. W2(l,0) = 6.66633 

E-9 



A-48 


P2(3.3) 

P2(3,6) 

P2(3,9) 

P2(^.^) 

P2(4,5) 

P2(4,6) 

P2(^.7) 

P2<4,8) 

P2(4,9) 

P2(5,5) 

P2(5.6) 

P2(5,8) 

P2(5.9) 


W2(2,2) = 

.999867 



W2(2,1) = 

6.66589 

E-5 


W2(2,0) = 

6.66656 

E-5 


W2(l,l) • 

W2(2,2) 

= .999767 


W2(l,l) • 

W2(2,1) 

= 6.66522 

E-5 

W2(l,l) • 

W2(2,0) 

= 6.66599 

E-5 

W2(l,0) • 

W2(2,2) 

= 9.99818 

E-5 

W^d.O) • 

W2(2,1) 

= 6.66556 

E-9 

W2(l,0) • 

W2(2,0) 

= 6.66633 

E-9 

W2(l,l)^ = 

= .999800 


W2(l,l) • 

W2(l,0) 

= 9.99851 

E-5 

W2d,0) • 

W2(l,l) 

= 9.99851 

E-5 


= W^d.O)^ = 9.99902 E-9 


P2<6,6) = 
P2(6,9) = 

P2(7,7) = 

P2(7,8) = 
P2(7,9) = 

P2(8,8) = 

P2(8,9) = 


W^Cl.l) = 
W^Cl.O) = 

W2(2,2) = 
W2(2,1) = 

W2(2,0) = 

W2(l,l) = 
W2(1.0) = 


.999900 
9.99951 E-5 

.999867 
6.66589 E-5 
6.66656 E-5 

.999900 
9.99951 E-5 


P2(9,9) = 1,00 



A-49 


The P (i,j) are used to compute the Pr(Vl) according to the 
K 


equations previously derived. The results are: 

Pr(V^) = .990314 

PrCV^) = 0 

Pr(V^) = 9.67988 E-3 
Pr(V^) = 5.91389 E-6 
Pr(V^) = 3.2827939 

Finally, the probabilities for the function f^ are computed: 
Pr(F^ = 2) = Pr(L"^(2)) = Pr(V^) 

= .990314 

Pr(F^ = 1) = Pr(L"^(D) = PrCV^) + Pr(V^) 

= 9.67987 E-3 

Pr(F^ = 0) = Pr(L"^(0)) = Pr(V^) + Pr(V^) 


= 6.242174 E-6 


Final Computations . The preceding four subsections show the derivations of 

Pr(F^ = f e { 0 , 1 , 2 }' for each of the four subspaces. In this subsection, 

the preceding results are combined to compute P(a ), the probability of 

n 

accomplishment level a , for each a e A. The remaining steps for each a 


n 

are as follows; 

• For each V = 


n 


- 1 . 


e Yi (a ) , compute 
1 n 


Pr(V) = TT Pr(F. = f.) 

1=1 1 1 


- 1 , 


• Sum the Pr(V) quantities for all V e (a^) : 

P(a ) = Pr(Y"^(a )) =E Pr(V). 

“ veY-,-‘-(a ) 

I n 

The computation in the first step is based on the independence of the 
subspaces. The equation in the second step uses the fact that the elements 
V of mutually exclusive. The Pr(F^=f^) values from the preceding 

analysis are presented in Table 3. 



A-50 


TABLE 3. CONTRIBUTIONS OF SUBSPACES TO MISSION OUTCOMES: 
Pr(F^ = f^) where i = 1,2, 3, 4 and e {. 0 , 1 , 2 }. 


i 

11 

Pr(F^ = l) 

Pr(F^ = 0} 

1 

.995788 

4.21164 E-3 

0 

2 

.998778 

1.21553 E-3 

6.8822 E-6 

3 

.989110 

1.08774 E-2 

1.28592 E-5 

4 

.990314 

9.67987 E-3 

6.24217 E-6 







A-51 


- 1 , 


From the Level 1 Model discussion, (a^) = 


Pr 


= n Pr(F.=2) = ,974212. 
i=l ^ 


Hence, P(a ) = .974212. 
o 


Next, 


, = {v^, v^, v^, v^} where 


— 


— 




f“ — n 

1 


2 


2 


2 

1 or 2 


1 


2 


2 


= 


v« = 


V, = 


1 or 2 

2 

1 or 2 

3 

1 

4 

2 

1 or 2 

9 

1 or 2 

9 

1 or 2 

t 

1 

.. ^ 


— — 


» — J 


— — 


Pr(v^) = Pr(F^=l) . (Pr(F 2 =l) + Pr(F2=2)) • (Pr(F 3 =l) + Pr(F3=2)) 
•(Pr(F^=l) + Pr(F^=2)) 

= 4.21153 E-3 


Similarly, 

Pr(v2) = 1.21039 E-3 
PrCv^) = 1.08183 E-2 
Pr(V^) = 9.52248 E-3 

Summing the Pr(V^) yields P(a^) = .025763. 


Next, y ^(a^) = fv^ ,Vg ,v^ ,Vg} where 


0 


1 or 2 


1 or 2 


1 or 2~ 

* 

’ ^6 = 

0 

^7 = 

1 or 2 

II 

00 

> 

1 or 2 

* 


* 


0 


1 or 2 

* 


* 


* 


0 

— 


— — 


— — 




Since * represents "any feasible value", Pr(F^=*) = 1.0. 

To Insure numerical accuracy, the values Pr(F^=0) are computed as follows 
Pr(F^= 0 ) = l-(Pr(F^= 1 ) + Pr(F^= 2 )) . 

Using the probability values from Table 3, 

PrCv^) = Pr(F^= 0 ) = 0 

Pr(Vg) = [pr(F^=D + Pr(F3^=2)] • Pr(F2=0) = 6.88218 E-6 
Pr(v^) = [Pr(F^=D + Pr(F^=2i] |Pr(F 2 =l) + Pr(F2=2)] • Pr(F3=0) 


= 1.285904 E-5 



A-52 


Pr(Vg) = |Pr(F^=l) + Pr(F^=2^ • [Pr(F 2 =D + Pr(F2=2)] 


• [Pr(F3=D + Pr(F2=2^ • 

Pr(F^=0) 

= 6.24205 E-6 

Summing the above Pr(v^) yields P(a 2 ) = 28.9833 E-6. 

In summary, the mission 

outcome probabilities are 

Safe, no diversion: 

P(a^) = .974212 

Safe, diversion : 

P(a^) = .025763 

Unsafe : 

P(a 2 > = 25.9833 x lO"^. 



A-53 


Dependencies Not Captured 


As noted in the discussion of the application of performability 
analysis to the dual-dual problem (see the section entitled "Analysis Results") , 
an error was made in selecting groups of components which were independent 
with respect to their impacts on the mission outcome. The following paragraphs 
explain the dependencies in question and provide an upper bound for their 
probability of occurrence. 

The performability analysis solution treated the components in inde- 
pendent sets. In particular, components 1 and 2 were in one set (call it C^) 
while components 3, 4, and 5 comprised a different set (call it • The 
probabilities of set resulting in mission accomplishment level a^ (aQ=no 
diversion, safe; a^=dlversion, safe; a 2 =unsafe) were computed independent 
of the state of the set C 2 * Similarly, the probabilities of C 2 resulting in 
were computed independent of C^. However, and C 2 are not independent . 

There are two cases (i.e., mission profiles) in which and 
must be considered simultaneously to determine the correct mission outcome. 

In each case, the CAT II landing is initiated, after which both DAD's fall. 

In this state, the CAT II landing can still be completed (even though the 
safe flight conditions are not satisfied) . A subsequent failure of the radar 
altimeter or of both VOR's causes violation of the conditions required to 
complete the CAT II landing, thereby causing a diversion. When a diversion 
occurs, the safe flight conditions must be met or the aircraft is lost. Since 


both dad's are failed, the aircraft is lost. When the sets C^^ and C^ were 
treated Independently, both of the above cases were treated as if the mission 



A -54 


outcome was diversion and safe flight. Note that if either the radar 
altimeter or both VOR's fail first, (i.e., prior to failure of both DAD's) 
then the CAT II landing is aborted and the aircraft is lost. These possibilities 
were captured correctly by the analysis. 

To compute an upper bound for the probability of occurrence of the 
two above cases, let represent the two cases; i.e., 

E^^the event the CAT II landing is initiated; and both DAD's 
fail before the landing is completed; and then either the 
radar altimeter or the second VOR fails before the landing 
is completed. 

Let 

E2=the event the CAT II landing is initiated, and both DAD's 
and either the radar altimeter or both VOR's fail before 
the landing is completed. 

Clearly, Pr (E^) ^ Pr (E2) • 

Next, let 

E2=the event the CAT II landing is initiated. 

According to the well-known Baye's Theorem, 

Pr(E2)=Pr(E2lE2)*Pr(E2). 

Since PrCE^) _5 1 , then Pr(E2> _<Pr(E2|E2). 

Combining this inequality with Pr(E^) ^ Pr(E2) implies 

Pr(E^) J Pr(E2|E2). 

Hence, an upper bound for the event of interest, E^, is the probability 
both dad's fail in a two minute period and either the radar altimeter or 





n 

\ 



A-55 


both VOR's fail in a two minute period. Using the MTBF data from Table 1 of 
the dual-dual problem statement. 


PrCE^lE^) ^ 



2^ 

2 

1 ' 

f - ^ 


/ - 1 

. 2 1 

f , 2000 

•60 i 

1 . : 

L 700 

•60 / , 

L 1000 

60/ 


) 

! 

{1-e 

/ + 

ll-e 

/ 


Pr(E 2 E^) _< 1.33 x 10 


-14 


and therefore 


Pr(E^) _< 1.33 X 10“^'^. 



1. Report No. 

NASA CR-159358 


2. Government Accession No. 


3. Recipient's Catalog No. 


4. Title and Subtitle 

COMPARATIVE ANALYSIS OF TECHNIQUES FOR EVALUATING THE 
EFFECTIVENESS OF AIRCRAFT COMPUTING SYSTEMS 


5. Report Date 
April 1981 


6. Performing Organization Code 


7. Author(s) 

E. F. Hitt, M. S. Bridgman, and A. C. Robinson 


8. Performing Organization Report No. 


10. Work Unit No. 


9. Performing Organization Name and Address 

Bat telle Columbus Laboratories 
505 King Avenue 
Columbus , Ohio 43201 


11. Contract or Grant No. 

NASl-15760 


12. Sponsoring Agency Name and Address 

National Aeronautics and Space Administration 
Langley Research Center 
Hampton, Virginia 23665 


13. Type of Repon and Period Covered 
Contractor Report 


14. Sponsoring Agency Code 


15. Supplementary Notes 

Langley technical monitor: G. E. Migneault 


16. Abstract 

Performability analysis is a technique developed under NASA Grant NSG 1306 for evalu- 
ating the effectiveness of fault-tolerant computing systems in multi-phase missions. 
In this study, performability was evaluated for its accuracy, practical usefulness, 
and relative cost. The evaluation was performed by applying performability and the 
fault tree method to a set of sample problems ranging from simple to moderately 
complex. The problems involved as many as five outcomes, two to five mission phases, 
permanent faults, and some functional dependencies. Transient faults and software 
errors were not considered. A different analyst was responsible for each technique. 
This report describes the sample problems and their solutions using each method. 

Significantly more time and effort were required to learn performability analysis 
than the fault tree method. Performability is inherently as accurate as fault tree 
analysis. For the sample problems, fault trees were more practical and less time- 
consuming to apply, while performability required less ingenuity and was more 
"checkable". Performability may offer some advantages for evaluating very complex 
problems . 


17. Key Words (Suggested by Author(s)) 


18. Distribution Statement 


Reliability analysis 
Fault-tolerant computing 
Performability 


19. Security Oassif. (of this report! j 

20. Security Classif. (of this page! 

21. No. of Pages 

22. Price' 

Unclassified 

Unclassified 

147 



N-j05 


For sale by the National Technical information Service, Springfielci. Virginia 22151 























End of Document 



